Mercurial > p > roundup > code
changeset 6420:5d6b6e948e17
Upgrade SSL params for roundup-server
Params were still using md5, a key size of 768 and allowed SSL 2 and 3.
Now using sha512, key size of 2048 and TLS 1.1 or newer.
This still doesn't fix the use of SSL in roundup-server. It has
problems under both 2.7 and 3.x. Tickets in tracker opened for both,
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 23 May 2021 17:41:23 -0400 |
| parents | 4d321d52d67d |
| children | 9c57f2814597 |
| files | CHANGES.txt roundup/scripts/roundup_server.py |
| diffstat | 2 files changed, 10 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Sun May 23 13:52:09 2021 -0400 +++ b/CHANGES.txt Sun May 23 17:41:23 2021 -0400 @@ -110,6 +110,12 @@ is used in some template to provide a select box of timezones. It uses cgi.escape that is depricated and removed from 3.8 and newer. Use html.escape with fallback to cgi.escape. (Cedric Krier) +- roundup-server can act as an SSL server. Usually SSL is provided by + a front-end server like nginx, hiawtha, apache. The SSL parameters + have been upgraded to TLS 1.1. Cert is RSA 2048 bytes with SHA512 + signature. Without these upgrades, ssl mode won't start. Note this + exposes other issue with roundup-server operating as an SSL + endpoint. See issue2551138 and issue2551137. Features: - issue2550522 - Add 'filter' command to command-line
--- a/roundup/scripts/roundup_server.py Sun May 23 13:52:09 2021 -0400 +++ b/roundup/scripts/roundup_server.py Sun May 23 17:41:23 2021 -0400 @@ -109,7 +109,7 @@ print(_('WARNING: generating temporary SSL certificate')) import OpenSSL, random pkey = OpenSSL.crypto.PKey() - pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 768) + pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) cert = OpenSSL.crypto.X509() cert.set_serial_number(random.randint(0, sys.maxsize)) cert.gmtime_adj_notBefore(0) @@ -119,8 +119,8 @@ cert.get_issuer().CN = 'Roundup Dummy Certificate Authority' cert.get_issuer().O = 'Self-Signed' cert.set_pubkey(pkey) - cert.sign(pkey, 'md5') - ctx = SSL.Context(SSL.SSLv23_METHOD) + cert.sign(pkey, 'sha512') + ctx = SSL.Context(OpenSSL.SSL.TLSv1_1_METHOD) ctx.use_privatekey(pkey) ctx.use_certificate(cert) @@ -133,7 +133,7 @@ http_.server.HTTPServer.__init__(self, server_address, HandlerClass) self.socket = socket.socket(self.address_family, self.socket_type) if ssl_pem: - ctx = SSL.Context(SSL.SSLv23_METHOD) + ctx = SSL.Context(SSL.TLSv1_1_METHOD) ctx.use_privatekey_file(ssl_pem) ctx.use_certificate_file(ssl_pem) else: