Tests: Stop using deprecated ssl.wrap_socket

Use `context.wrap_socket` instead. On this context, use a minimum version to restrict to secure TLS protocol variants only. This was reported as a check failure by CodeQL code scanning with id `py/insecure-default-protocol`. https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp
crate · Nov 21, 2022 · 1dd3dd2 · 1dd3dd2
1 parent 69f071c
commit 1dd3dd2
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/src/crate/client/tests.py b/src/crate/client/tests.py
@@ -222,13 +222,24 @@ class HttpsTestServerLayer:
 
     class HttpsServer(HTTPServer):
         def get_request(self):
+
+            # Prepare SSL context.
+            context = ssl._create_unverified_context(
+                protocol=ssl.PROTOCOL_TLS_SERVER,
+                cert_reqs=ssl.CERT_OPTIONAL,
+                check_hostname=False,
+                purpose=ssl.Purpose.CLIENT_AUTH,
+                certfile=HttpsTestServerLayer.CERT_FILE,
+                keyfile=HttpsTestServerLayer.CERT_FILE,
+                cafile=HttpsTestServerLayer.CACERT_FILE)
+
+            # Set minimum protocol version, TLSv1 and TLSv1.1 are unsafe.
+            context.minimum_version = ssl.TLSVersion.TLSv1_2
+
+            # Wrap TLS encryption around socket.
             socket, client_address = HTTPServer.get_request(self)
-            socket = ssl.wrap_socket(socket,
-                                     keyfile=HttpsTestServerLayer.CERT_FILE,
-                                     certfile=HttpsTestServerLayer.CERT_FILE,
-                                     cert_reqs=ssl.CERT_OPTIONAL,
-                                     ca_certs=HttpsTestServerLayer.CACERT_FILE,
-                                     server_side=True)
+            socket = context.wrap_socket(socket, server_side=True)
+
             return socket, client_address
 
     class HttpsHandler(BaseHTTPRequestHandler):