From 088e8eecd0a9f6a5357a80410238ff4492263991 Mon Sep 17 00:00:00 2001 From: Andreas Motl Date: Mon, 21 Nov 2022 19:08:57 +0100 Subject: [PATCH] Tests: Stop using deprecated `ssl.wrap_socket` Use `context.wrap_socket` instead. On this context, use a minimum version to restrict to secure TLS protocol variants only. This was reported as a check failure by CodeQL code scanning with id `py/insecure-default-protocol`. https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp --- src/crate/client/tests.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/crate/client/tests.py b/src/crate/client/tests.py index 9abe18816..4f9aab931 100644 --- a/src/crate/client/tests.py +++ b/src/crate/client/tests.py @@ -222,13 +222,24 @@ class HttpsTestServerLayer: class HttpsServer(HTTPServer): def get_request(self): + + # Prepare SSL context. + context = ssl._create_unverified_context( + protocol=ssl.PROTOCOL_TLS_SERVER, + cert_reqs=ssl.CERT_OPTIONAL, + check_hostname=False, + purpose=ssl.Purpose.CLIENT_AUTH, + certfile=HttpsTestServerLayer.CERT_FILE, + keyfile=HttpsTestServerLayer.CERT_FILE, + cafile=HttpsTestServerLayer.CACERT_FILE) + + # Set minimum protocol version, TLSv1 and TLSv1.1 are unsafe. + context.minimum_version = ssl.TLSVersion.TLSv1_2 + + # Wrap TLS encryption around socket. socket, client_address = HTTPServer.get_request(self) - socket = ssl.wrap_socket(socket, - keyfile=HttpsTestServerLayer.CERT_FILE, - certfile=HttpsTestServerLayer.CERT_FILE, - cert_reqs=ssl.CERT_OPTIONAL, - ca_certs=HttpsTestServerLayer.CACERT_FILE, - server_side=True) + socket = context.wrap_socket(socket, server_side=True) + return socket, client_address class HttpsHandler(BaseHTTPRequestHandler):