NexusMiner now supports TLS/HTTPS encrypted connections for secure remote mining. This feature ensures that all communication with the LLL-TAO Node is encrypted and authenticated when mining over untrusted networks (e.g., the Internet).
NEW: Mutual TLS (mTLS) authentication is now supported! See mutual_tls_authentication.md for client certificate configuration.
TLS/HTTPS is automatically enabled for remote (non-localhost) connections when configured. For localhost connections, TLS is optional since the communication stays within the local machine.
Auto-Detection Logic:
- Localhost (127.0.0.1, ::1, localhost): TLS optional (disabled by default)
- Remote connections: TLS recommended (can be forced with
enable_tls: true)
The TLS implementation enforces modern security standards:
Protocol Versions:
- TLS 1.2 (minimum)
- TLS 1.3 (preferred)
- SSL v2/v3, TLS 1.0, TLS 1.1 disabled
Cipher Suites (in priority order):
TLS 1.3:
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
TLS 1.2:
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
All cipher suites provide:
- Forward secrecy (ECDHE key exchange)
- Strong encryption (ChaCha20-Poly1305, AES-GCM)
- Authentication (ECDSA or RSA signatures)
Client Mode (Miner):
- Peer certificate verification enabled by default
- Uses system CA certificate bundle by default
- Optional custom CA certificate path
- Server Name Indication (SNI) support
- Hostname verification
Server Mode (Pool):
- Certificate and private key configuration
- Optional password-protected private keys
- Full TLS 1.2/1.3 support
{
"enable_tls": false, // Enable TLS/HTTPS (auto for remote)
"tls_ca_cert_path": "", // CA bundle path (empty = system default)
"tls_verify_peer": true, // Verify server certificate
"tls_server_name": "" // Server name for SNI (empty = wallet_ip)
}| Field | Type | Default | Description |
|---|---|---|---|
enable_tls |
boolean | false | Force enable TLS (auto-enabled for remote) |
tls_ca_cert_path |
string | "" | Path to CA certificate bundle (empty = use system default) |
tls_verify_peer |
boolean | true | Verify server certificate (always recommended) |
tls_server_name |
string | "" | Server name for SNI and verification (empty = use wallet_ip) |
{
"wallet_ip": "127.0.0.1",
"port": 8323,
"enable_tls": false
}Characteristics:
- No TLS overhead
- Fastest performance
- Secure within local machine
- Recommended for solo mining on same machine
{
"wallet_ip": "mining.pool.com",
"port": 8323,
"enable_tls": true,
"tls_verify_peer": true
}Characteristics:
- TLS 1.2/1.3 encryption
- Uses system CA certificates
- Full certificate validation
- Recommended for public pools with valid certificates
{
"wallet_ip": "private-pool.internal",
"port": 8323,
"enable_tls": true,
"tls_ca_cert_path": "/path/to/ca-bundle.crt",
"tls_verify_peer": true,
"tls_server_name": "private-pool.internal"
}Characteristics:
- Custom CA for private/self-signed certificates
- Full certificate validation
- SNI with custom server name
- Recommended for private pools or internal networks
{
"wallet_ip": "test-node.local",
"port": 8323,
"enable_tls": true,
"tls_verify_peer": false
}Characteristics:
- TLS encryption without verification
- Vulnerable to man-in-the-middle attacks
- NOT recommended for production use
- Use only for testing with self-signed certificates
Always Verify Peer Certificates:
- Set
tls_verify_peer: true(default) - Ensures you're connecting to the intended server
- Prevents man-in-the-middle attacks
Use System CA Bundle:
- Leave
tls_ca_cert_pathempty for public pools - System CA bundles are regularly updated
- Automatically validates certificates from trusted CAs
Custom CA Certificates:
- Use for private pools or self-signed certificates
- Keep CA certificates secure and updated
- Validate certificate chain before deployment
The default cipher suite list prioritizes:
- Forward Secrecy: ECDHE key exchange
- Modern Encryption: ChaCha20-Poly1305, AES-GCM
- No Weak Ciphers: RC4, DES, MD5 excluded
SNI is used for:
- Virtual hosting support
- Hostname verification
- Certificate selection (server-side)
Default Behavior:
tls_server_namedefaults towallet_ip- Override for IP-based connections to domain-named servers
Handshake (once per connection):
- ~10-50ms additional latency
- CPU overhead for key exchange
- Amortized over long-lived connections
Data Transfer (per packet):
- ~5-10% throughput reduction
- Minimal CPU overhead (AES-NI, ChaCha20 optimized)
- Negligible impact on mining performance
Recommendations:
- Use TLS 1.3 for improved performance (faster handshake)
- Long-lived connections minimize handshake overhead
- Hardware acceleration (AES-NI) reduces encryption cost
Symptom: "Certificate verification failed" or "Unknown CA"
Solutions:
- Ensure server certificate is valid and not expired
- Verify CA certificate bundle is up-to-date
- Check
tls_server_namematches certificate CN/SAN - Use custom CA path for self-signed certificates
Symptom: Connection times out or fails to establish
Solutions:
- Verify TLS is enabled on server/pool
- Check firewall allows TLS port (typically 8323)
- Ensure server supports TLS 1.2/1.3
- Review server logs for TLS errors
Symptom: "No shared cipher" or "Cipher mismatch"
Solutions:
- Ensure server supports modern cipher suites
- Update OpenSSL to latest version
- Check server cipher configuration
- Verify TLS 1.2/1.3 support on both sides
Symptom: "Hostname verification failed"
Solutions:
- Set
tls_server_nameto match certificate CN/SAN - Use IP address in certificate if connecting by IP
- Ensure DNS resolution is correct
- Check certificate Subject Alternative Names (SAN)
TLS and ChaCha20 Falcon key wrapping work together:
TLS Layer:
- Encrypts all network traffic
- Protects entire connection
- Uses ChaCha20-Poly1305 cipher (when available)
ChaCha20 Wrapper:
- Encrypts Falcon Public Keys
- Additional layer of protection
- Application-level encryption
Combined Security:
- Defense in depth approach
- Double encryption of Falcon keys
- Maximum security for remote mining
Automatic security optimization based on connection type:
Localhost (127.0.0.1, ::1):
- TLS disabled by default
- ChaCha20 wrapping optional
- Maximum performance
Remote (any other IP):
- TLS auto-enabled (recommended)
- ChaCha20 wrapping auto-enabled
- Maximum security
Localhost Mining:
{
"wallet_ip": "127.0.0.1",
"enable_tls": false
}Note: ChaCha20 encryption is always active (core security) — no configuration needed.
Remote Mining:
{
"wallet_ip": "my-node.example.com",
"enable_tls": true,
"tls_verify_peer": true
}Note: ChaCha20 encryption is always active (core security) — no configuration needed.
Public Pool with Valid Certificate:
{
"wallet_ip": "pool.nexus.io",
"enable_tls": true,
"tls_verify_peer": true
}Private Pool with Self-Signed Certificate:
{
"wallet_ip": "private-pool.local",
"enable_tls": true,
"tls_ca_cert_path": "/etc/nexus/pool-ca.crt",
"tls_verify_peer": true,
"tls_server_name": "private-pool.local"
}-
Obtain Certificates:
- Use Let's Encrypt for public pools (free, automated)
- Generate self-signed for private/testing
- Purchase from CA for commercial pools
-
Certificate Renewal:
- Automate renewal (Let's Encrypt)
- Monitor expiration dates
- Update miner configuration if paths change
-
CA Bundle Updates:
- Keep system CA bundle updated
- Use
apt-get update && apt-get upgrade ca-certificates(Debian/Ubuntu) - Review custom CA certificates periodically
Library: ASIO SSL (Boost.Asio SSL wrapper) Backend: OpenSSL 1.1.1+ or 3.0+ Async I/O: Non-blocking operations Thread Safety: Context-level thread safety
The cipher suite list is optimized for:
- Security: No weak or deprecated ciphers
- Performance: Hardware-accelerated algorithms
- Compatibility: Works with most modern servers
- Client sends ClientHello with supported versions/ciphers
- Server selects best version and cipher
- TLS 1.3 preferred (if both support)
- Fallback to TLS 1.2 if needed
- Connection fails if no common version/cipher
Planned improvements:
Client Certificates: Mutual TLS authentication✅ IMPLEMENTED - See mutual_tls_authentication.md- Certificate Pinning: Pin specific certificates for enhanced security
- OCSP Stapling: Real-time certificate revocation checking
- Session Resumption: Faster reconnections with session tickets
- Performance Monitoring: TLS handshake and throughput metrics
For the highest level of security, NexusMiner now supports mutual TLS (mTLS) where both client and server authenticate each other using certificates.
Quick Configuration:
{
"enable_tls": true,
"tls_client_cert_path": "/path/to/client-cert.pem",
"tls_client_key_path": "/path/to/client-key.pem",
"tls_client_key_password": "optional_password"
}See mutual_tls_authentication.md for:
- Certificate generation and installation
- Server-side configuration
- Security best practices
- Troubleshooting guide
- TLS 1.3: RFC 8446
- TLS 1.2: RFC 5246
- ChaCha20-Poly1305: RFC 8439
- OpenSSL Documentation: https://www.openssl.org/docs/
- ASIO SSL: https://think-async.com/Asio/
Version: 1.0
Last Updated: 2025-12-06
Compatibility: NexusMiner 1.5+, OpenSSL 1.1.1+/3.0+