Upgrade SSL params for roundup-server

rouilj · rouilj · commit c11001dbf768 · 2021-05-23T17:41:23.000-04:00
Params were still using md5, a key size of 768 and allowed SSL 2 and 3.

Now using sha512, key size of 2048 and TLS 1.1 or newer.

This still doesn't fix the use of SSL in roundup-server. It has
problems under both 2.7 and 3.x. Tickets in tracker opened for both,
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -110,6 +110,12 @@ Fixed:
   is used in some template to provide a select box of timezones. It
   uses cgi.escape that is depricated and removed from 3.8 and newer.
   Use html.escape with fallback to cgi.escape. (Cedric Krier)
+- roundup-server can act as an SSL server. Usually SSL is provided by
+  a front-end server like nginx, hiawtha, apache. The SSL parameters
+  have been upgraded to TLS 1.1. Cert is RSA 2048 bytes with SHA512
+  signature. Without these upgrades, ssl mode won't start. Note this
+  exposes other issue with roundup-server operating as an SSL
+  endpoint. See issue2551138 and issue2551137.
 
 Features:
 - issue2550522 - Add 'filter' command to command-line
diff --git a/roundup/scripts/roundup_server.py b/roundup/scripts/roundup_server.py
@@ -109,7 +109,7 @@ def auto_ssl():
     print(_('WARNING: generating temporary SSL certificate'))
     import OpenSSL, random
     pkey = OpenSSL.crypto.PKey()
-    pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 768)
+    pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
     cert = OpenSSL.crypto.X509()
     cert.set_serial_number(random.randint(0, sys.maxsize))
     cert.gmtime_adj_notBefore(0)
@@ -119,8 +119,8 @@ def auto_ssl():
     cert.get_issuer().CN = 'Roundup Dummy Certificate Authority'
     cert.get_issuer().O = 'Self-Signed'
     cert.set_pubkey(pkey)
-    cert.sign(pkey, 'md5')
-    ctx = SSL.Context(SSL.SSLv23_METHOD)
+    cert.sign(pkey, 'sha512')
+    ctx = SSL.Context(OpenSSL.SSL.TLSv1_1_METHOD)
     ctx.use_privatekey(pkey)
     ctx.use_certificate(cert)
 
@@ -133,7 +133,7 @@ def __init__(self, server_address, HandlerClass, ssl_pem=None):
         http_.server.HTTPServer.__init__(self, server_address, HandlerClass)
         self.socket = socket.socket(self.address_family, self.socket_type)
         if ssl_pem:
-            ctx = SSL.Context(SSL.SSLv23_METHOD)
+            ctx = SSL.Context(SSL.TLSv1_1_METHOD)
             ctx.use_privatekey_file(ssl_pem)
             ctx.use_certificate_file(ssl_pem)
         else:
