Use SSLContext to wrap REST API socket (#1039)

Using `ssl.wrap_socket` is deprecated and was still allowing soon-to-be-deprecated protocols like TLS 1.1. Now using `SSLContext.create_default_context()` to produce a secure SSL context to wrap the REST API server's socket.
2026-01-27 10:20:10 +00:00 · 2019-04-23 11:23:22 +02:00
parent 51b085a76d
commit 663026c34c
2 changed files with 7 additions and 3 deletions
--- a/patroni/api.py
+++ b/patroni/api.py
@@ -542,7 +542,9 @@ class RestApiServer(ThreadingMixIn, HTTPServer, Thread):
        # Sometime it's also needed to pass reference to a 'keyfile'.
        if self.__ssl_options.get('certfile'):
            import ssl
-            self.socket = ssl.wrap_socket(self.socket, server_side=True, **self.__ssl_options)
+            ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            ctx.load_cert_chain(**self.__ssl_options)
+            self.socket = ctx.wrap_socket(self.socket, server_side=True)
            self.__protocol = 'https'
        return True

--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -141,7 +141,8 @@ class MockRestApiServer(RestApiServer):
        Handler(MockRequest(request), ('0.0.0.0', 8080), self)


-@patch('ssl.wrap_socket', Mock(return_value=0))
+@patch('ssl.SSLContext.load_cert_chain', Mock())
+@patch('ssl.SSLContext.wrap_socket', Mock(return_value=0))
@patch.object(BaseHTTPServer.HTTPServer, '__init__', Mock())
 class TestRestApiHandler(unittest.TestCase):

@@ -391,7 +392,8 @@ class TestRestApiHandler(unittest.TestCase):
        MockRestApiServer(RestApiHandler, post + '37\n\n{"candidate":"2","scheduled_at": "1"}')


-@patch('ssl.wrap_socket', Mock(return_value=0))
+@patch('ssl.SSLContext.load_cert_chain', Mock())
+@patch('ssl.SSLContext.wrap_socket', Mock(return_value=0))
@patch.object(BaseHTTPServer.HTTPServer, '__init__', Mock())
 class TestRestApiServer(unittest.TestCase):