Mercurial > p > roundup > code
comparison roundup/scripts/roundup_server.py @ 6420:5d6b6e948e17
Upgrade SSL params for roundup-server
Params were still using md5, a key size of 768 and allowed SSL 2 and 3.
Now using sha512, key size of 2048 and TLS 1.1 or newer.
This still doesn't fix the use of SSL in roundup-server. It has
problems under both 2.7 and 3.x. Tickets in tracker opened for both,
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 23 May 2021 17:41:23 -0400 |
| parents | ff6580ee3882 |
| children | 1f2f7c0b8968 |
comparison
equal
deleted
inserted
replaced
| 6419:4d321d52d67d | 6420:5d6b6e948e17 |
|---|---|
| 107 | 107 |
| 108 def auto_ssl(): | 108 def auto_ssl(): |
| 109 print(_('WARNING: generating temporary SSL certificate')) | 109 print(_('WARNING: generating temporary SSL certificate')) |
| 110 import OpenSSL, random | 110 import OpenSSL, random |
| 111 pkey = OpenSSL.crypto.PKey() | 111 pkey = OpenSSL.crypto.PKey() |
| 112 pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 768) | 112 pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) |
| 113 cert = OpenSSL.crypto.X509() | 113 cert = OpenSSL.crypto.X509() |
| 114 cert.set_serial_number(random.randint(0, sys.maxsize)) | 114 cert.set_serial_number(random.randint(0, sys.maxsize)) |
| 115 cert.gmtime_adj_notBefore(0) | 115 cert.gmtime_adj_notBefore(0) |
| 116 cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # one year | 116 cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # one year |
| 117 cert.get_subject().CN = '*' | 117 cert.get_subject().CN = '*' |
| 118 cert.get_subject().O = 'Roundup Dummy Certificate' | 118 cert.get_subject().O = 'Roundup Dummy Certificate' |
| 119 cert.get_issuer().CN = 'Roundup Dummy Certificate Authority' | 119 cert.get_issuer().CN = 'Roundup Dummy Certificate Authority' |
| 120 cert.get_issuer().O = 'Self-Signed' | 120 cert.get_issuer().O = 'Self-Signed' |
| 121 cert.set_pubkey(pkey) | 121 cert.set_pubkey(pkey) |
| 122 cert.sign(pkey, 'md5') | 122 cert.sign(pkey, 'sha512') |
| 123 ctx = SSL.Context(SSL.SSLv23_METHOD) | 123 ctx = SSL.Context(OpenSSL.SSL.TLSv1_1_METHOD) |
| 124 ctx.use_privatekey(pkey) | 124 ctx.use_privatekey(pkey) |
| 125 ctx.use_certificate(cert) | 125 ctx.use_certificate(cert) |
| 126 | 126 |
| 127 return ctx | 127 return ctx |
| 128 | 128 |
| 131 def __init__(self, server_address, HandlerClass, ssl_pem=None): | 131 def __init__(self, server_address, HandlerClass, ssl_pem=None): |
| 132 assert SSL, "pyopenssl not installed" | 132 assert SSL, "pyopenssl not installed" |
| 133 http_.server.HTTPServer.__init__(self, server_address, HandlerClass) | 133 http_.server.HTTPServer.__init__(self, server_address, HandlerClass) |
| 134 self.socket = socket.socket(self.address_family, self.socket_type) | 134 self.socket = socket.socket(self.address_family, self.socket_type) |
| 135 if ssl_pem: | 135 if ssl_pem: |
| 136 ctx = SSL.Context(SSL.SSLv23_METHOD) | 136 ctx = SSL.Context(SSL.TLSv1_1_METHOD) |
| 137 ctx.use_privatekey_file(ssl_pem) | 137 ctx.use_privatekey_file(ssl_pem) |
| 138 ctx.use_certificate_file(ssl_pem) | 138 ctx.use_certificate_file(ssl_pem) |
| 139 else: | 139 else: |
| 140 ctx = auto_ssl() | 140 ctx = auto_ssl() |
| 141 self.ssl_context = ctx | 141 self.ssl_context = ctx |