From 663026c34cc64f14040ceedf8a38f5094de41ba6 Mon Sep 17 00:00:00 2001 From: Julien Riou Date: Tue, 23 Apr 2019 11:23:22 +0200 Subject: [PATCH] Use SSLContext to wrap REST API socket (#1039) Using `ssl.wrap_socket` is deprecated and was still allowing soon-to-be-deprecated protocols like TLS 1.1. Now using `SSLContext.create_default_context()` to produce a secure SSL context to wrap the REST API server's socket. --- patroni/api.py | 4 +++- tests/test_api.py | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/patroni/api.py b/patroni/api.py index e0754848..c82f679c 100644 --- a/patroni/api.py +++ b/patroni/api.py @@ -542,7 +542,9 @@ class RestApiServer(ThreadingMixIn, HTTPServer, Thread): # Sometime it's also needed to pass reference to a 'keyfile'. if self.__ssl_options.get('certfile'): import ssl - self.socket = ssl.wrap_socket(self.socket, server_side=True, **self.__ssl_options) + ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + ctx.load_cert_chain(**self.__ssl_options) + self.socket = ctx.wrap_socket(self.socket, server_side=True) self.__protocol = 'https' return True diff --git a/tests/test_api.py b/tests/test_api.py index d1d60c27..a3bf1966 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -141,7 +141,8 @@ class MockRestApiServer(RestApiServer): Handler(MockRequest(request), ('0.0.0.0', 8080), self) -@patch('ssl.wrap_socket', Mock(return_value=0)) +@patch('ssl.SSLContext.load_cert_chain', Mock()) +@patch('ssl.SSLContext.wrap_socket', Mock(return_value=0)) @patch.object(BaseHTTPServer.HTTPServer, '__init__', Mock()) class TestRestApiHandler(unittest.TestCase): @@ -391,7 +392,8 @@ class TestRestApiHandler(unittest.TestCase): MockRestApiServer(RestApiHandler, post + '37\n\n{"candidate":"2","scheduled_at": "1"}') -@patch('ssl.wrap_socket', Mock(return_value=0)) +@patch('ssl.SSLContext.load_cert_chain', Mock()) +@patch('ssl.SSLContext.wrap_socket', Mock(return_value=0)) @patch.object(BaseHTTPServer.HTTPServer, '__init__', Mock()) class TestRestApiServer(unittest.TestCase):