Mercurial > p > roundup > code
changeset 7110:0597120e0a74
Try to clear SSL bogus security alert in CI
See:
https://github.com/roundup-tracker/roundup/security/code-scanning/107
The server is bound to localhost using a self signed cert on debian.
Since this connection is not exposed to the internet, the risk of
unathorized disclosure is very low.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 08 Dec 2022 09:50:16 -0500 |
| parents | 561c66232347 |
| children | a7853002495c |
| files | scripts/oauth-get-token.py |
| diffstat | 1 files changed, 13 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/scripts/oauth-get-token.py Thu Dec 08 11:18:46 2022 +0100 +++ b/scripts/oauth-get-token.py Thu Dec 08 09:50:16 2022 -0500 @@ -149,7 +149,19 @@ httpd = HTTPServer (('localhost', port), RQ_Handler) if self.use_tls: - context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + # note this opens a server on localhost. Only + # a process on the same host can get the credentials. + # Even unencrypted (http://) url is fine as the credentials + # will be saved in clear text on disk for use. So a + # compromised local host will still get the credentials. + context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_TLS_SERVER) + + # This should not be needed. Uses Python 3.10+ setting. + # context.maximum_version = ssl.TLSVersion.TLSv1_2 + # for previous versions maybe: + # ssl.PROTOCOL_TLSv1_2 + # would work? + context.load_cert_chain \ ( keyfile = self.args.keyfile , certfile = self.args.certfile