Skip to content

Commit

Permalink
Merge pull request #3374 from candlepin/mhorky/tls
Browse files Browse the repository at this point in the history
CCT-266: Update TLS flags
  • Loading branch information
jirihnidek authored Jan 19, 2024
2 parents ee4af83 + a210426 commit b593913
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 15 deletions.
20 changes: 6 additions & 14 deletions src/rhsm/connection.py
Original file line number Diff line number Diff line change
Expand Up @@ -758,20 +758,12 @@ def _create_connection(self, cert_file: str = None, key_file: str = None) -> htt

log.debug("Creating new connection")

# See https://www.openssl.org/docs/ssl/SSL_CTX_new.html
# This ends up invoking SSLv23_method, which is the catch all
# "be compatible" protocol, even though it explicitly is not
# using sslv2. This will by default potentially include sslv3
# if not used with post-poodle openssl. If however, the server
# intends to not offer sslv3, it's workable.
#
# So this supports tls1.2, 1.1, 1.0, and/or sslv3 if supported.
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

# Disable SSLv2 and SSLv3 support to avoid poodles.
context.options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3

if self.insecure: # allow clients to work insecure mode if required..
# Select the highest TLS version supported by both the client and the server.
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

if self.insecure:
# Allow clients to connect to servers with missing or invalid certificates.
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
else:
context.verify_mode = ssl.CERT_REQUIRED
Expand Down
2 changes: 1 addition & 1 deletion test/rhsm/unit/test_connection.py
Original file line number Diff line number Diff line change
Expand Up @@ -593,7 +593,7 @@ def test_bad_ca_cert(self):
restlib = BaseRestLib("somehost", "123", "somehandler")
restlib.ca_dir = self.temp_ent_dir.name
with self.assertRaises(BadCertificateException):
restlib._load_ca_certificates(ssl.SSLContext(ssl.PROTOCOL_SSLv23))
restlib._load_ca_certificates(ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT))

def test_hypervisor_check_in_capability_and_reporter(self):
self.cp.conn = Mock()
Expand Down

0 comments on commit b593913

Please sign in to comment.