Mercurial > p > roundup > code
comparison scripts/oauth-get-token.py @ 7110:0597120e0a74
Try to clear SSL bogus security alert in CI
See:
https://github.com/roundup-tracker/roundup/security/code-scanning/107
The server is bound to localhost using a self signed cert on debian.
Since this connection is not exposed to the internet, the risk of
unathorized disclosure is very low.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 08 Dec 2022 09:50:16 -0500 |
| parents | b26207712c2b |
| children | a7853002495c |
comparison
equal
deleted
inserted
replaced
| 7109:561c66232347 | 7110:0597120e0a74 |
|---|---|
| 147 | 147 |
| 148 port = self.args.https_server_port | 148 port = self.args.https_server_port |
| 149 httpd = HTTPServer (('localhost', port), RQ_Handler) | 149 httpd = HTTPServer (('localhost', port), RQ_Handler) |
| 150 | 150 |
| 151 if self.use_tls: | 151 if self.use_tls: |
| 152 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) | 152 # note this opens a server on localhost. Only |
| 153 # a process on the same host can get the credentials. | |
| 154 # Even unencrypted (http://) url is fine as the credentials | |
| 155 # will be saved in clear text on disk for use. So a | |
| 156 # compromised local host will still get the credentials. | |
| 157 context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_TLS_SERVER) | |
| 158 | |
| 159 # This should not be needed. Uses Python 3.10+ setting. | |
| 160 # context.maximum_version = ssl.TLSVersion.TLSv1_2 | |
| 161 # for previous versions maybe: | |
| 162 # ssl.PROTOCOL_TLSv1_2 | |
| 163 # would work? | |
| 164 | |
| 153 context.load_cert_chain \ | 165 context.load_cert_chain \ |
| 154 ( keyfile = self.args.keyfile | 166 ( keyfile = self.args.keyfile |
| 155 , certfile = self.args.certfile | 167 , certfile = self.args.certfile |
| 156 ) | 168 ) |
| 157 httpd.socket = context.wrap_socket \ | 169 httpd.socket = context.wrap_socket \ |