diff --git a/src/rhsm/connection.py b/src/rhsm/connection.py index 82cf04ea2a..ee02ec279d 100644 --- a/src/rhsm/connection.py +++ b/src/rhsm/connection.py @@ -758,20 +758,12 @@ def _create_connection(self, cert_file: str = None, key_file: str = None) -> htt log.debug("Creating new connection") - # See https://www.openssl.org/docs/ssl/SSL_CTX_new.html - # This ends up invoking SSLv23_method, which is the catch all - # "be compatible" protocol, even though it explicitly is not - # using sslv2. This will by default potentially include sslv3 - # if not used with post-poodle openssl. If however, the server - # intends to not offer sslv3, it's workable. - # - # So this supports tls1.2, 1.1, 1.0, and/or sslv3 if supported. - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - - # Disable SSLv2 and SSLv3 support to avoid poodles. - context.options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 - - if self.insecure: # allow clients to work insecure mode if required.. + # Select the highest TLS version supported by both the client and the server. + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + + if self.insecure: + # Allow clients to connect to servers with missing or invalid certificates. + context.check_hostname = False context.verify_mode = ssl.CERT_NONE else: context.verify_mode = ssl.CERT_REQUIRED diff --git a/test/rhsm/unit/test_connection.py b/test/rhsm/unit/test_connection.py index e6d0212b8f..69d649ab69 100644 --- a/test/rhsm/unit/test_connection.py +++ b/test/rhsm/unit/test_connection.py @@ -593,7 +593,7 @@ def test_bad_ca_cert(self): restlib = BaseRestLib("somehost", "123", "somehandler") restlib.ca_dir = self.temp_ent_dir.name with self.assertRaises(BadCertificateException): - restlib._load_ca_certificates(ssl.SSLContext(ssl.PROTOCOL_SSLv23)) + restlib._load_ca_certificates(ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)) def test_hypervisor_check_in_capability_and_reporter(self): self.cp.conn = Mock()