# HG changeset patch
# User John Rouillard <rouilj@ieee.org>
# Date 1670511016 18000
# Node ID 0597120e0a748e954bd610bbe4beed1f7ee77a3e
# Parent  561c662323472f5c8246790f6a546402600f03e5
Try to clear SSL bogus security alert in CI

See:

  https://github.com/roundup-tracker/roundup/security/code-scanning/107

The server is bound to localhost using a self signed cert on debian.
Since this connection is not exposed to the internet, the risk of
unathorized disclosure is very low.

diff -r 561c66232347 -r 0597120e0a74 scripts/oauth-get-token.py
--- a/scripts/oauth-get-token.py	Thu Dec 08 11:18:46 2022 +0100
+++ b/scripts/oauth-get-token.py	Thu Dec 08 09:50:16 2022 -0500
@@ -149,7 +149,19 @@
         httpd = HTTPServer (('localhost', port), RQ_Handler)
 
         if self.use_tls:
-            context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+            # note this opens a server on localhost. Only
+            # a process on the same host can get the credentials.
+            # Even unencrypted (http://) url is fine as the credentials
+            # will be saved in clear text on disk for use. So a
+            # compromised local host will still get the credentials.
+            context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_TLS_SERVER)
+
+            # This should not be needed. Uses Python 3.10+ setting.
+            # context.maximum_version = ssl.TLSVersion.TLSv1_2
+            # for previous versions maybe:
+            #   ssl.PROTOCOL_TLSv1_2
+            # would work?
+
             context.load_cert_chain \
                 ( keyfile  = self.args.keyfile
                 , certfile = self.args.certfile