From a2104262e55eda8471d7c435c486365c4a8ecd97 Mon Sep 17 00:00:00 2001
From: mhorky <mhorky@redhat.com>
Date: Fri, 19 Jan 2024 13:51:38 +0100
Subject: [PATCH] CCT-266: Update TLS flags

* Card ID: CCT-266

- The flag PROTOCOL_SSLv23 is an alias to PROTOCOL_TLS since Python 3.6.
- The flag PROTOCOL_TLS is deprecated since Python 3.10.
- The flag PROTOCOL_TLS_CLIENT has been introduced in Python 3.6 and
  should be used for client-side contexts.

This patch uses PROTOCOL_TLS_CLIENT instead of PROTOCOL_SSLv23.

- There is no need to use OP_NO_SSLv2 and OP_NO_SSLv3 flags explicitly
  now; SSLContext disables these by default.

- The flag PROTOCOL_TLS_CLIENT enables the check_hostname by default.
  For insecure contexts we need to disable this flag explicitly.
---
 src/rhsm/connection.py            | 20 ++++++--------------
 test/rhsm/unit/test_connection.py |  2 +-
 2 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/src/rhsm/connection.py b/src/rhsm/connection.py
index 82cf04ea2a..ee02ec279d 100644
--- a/src/rhsm/connection.py
+++ b/src/rhsm/connection.py
@@ -758,20 +758,12 @@ def _create_connection(self, cert_file: str = None, key_file: str = None) -> htt
 
         log.debug("Creating new connection")
 
-        # See https://www.openssl.org/docs/ssl/SSL_CTX_new.html
-        # This ends up invoking SSLv23_method, which is the catch all
-        # "be compatible" protocol, even though it explicitly is not
-        # using sslv2. This will by default potentially include sslv3
-        # if not used with post-poodle openssl. If however, the server
-        # intends to not offer sslv3, it's workable.
-        #
-        # So this supports tls1.2, 1.1, 1.0, and/or sslv3 if supported.
-        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-
-        # Disable SSLv2 and SSLv3 support to avoid poodles.
-        context.options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
-
-        if self.insecure:  # allow clients to work insecure mode if required..
+        # Select the highest TLS version supported by both the client and the server.
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+
+        if self.insecure:
+            # Allow clients to connect to servers with missing or invalid certificates.
+            context.check_hostname = False
             context.verify_mode = ssl.CERT_NONE
         else:
             context.verify_mode = ssl.CERT_REQUIRED
diff --git a/test/rhsm/unit/test_connection.py b/test/rhsm/unit/test_connection.py
index e6d0212b8f..69d649ab69 100644
--- a/test/rhsm/unit/test_connection.py
+++ b/test/rhsm/unit/test_connection.py
@@ -593,7 +593,7 @@ def test_bad_ca_cert(self):
         restlib = BaseRestLib("somehost", "123", "somehandler")
         restlib.ca_dir = self.temp_ent_dir.name
         with self.assertRaises(BadCertificateException):
-            restlib._load_ca_certificates(ssl.SSLContext(ssl.PROTOCOL_SSLv23))
+            restlib._load_ca_certificates(ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT))
 
     def test_hypervisor_check_in_capability_and_reporter(self):
         self.cp.conn = Mock()