From 85d056b5fdb46fa1ef6a5d020c87b3ef0084f3f9 Mon Sep 17 00:00:00 2001 From: swetayadav1 Date: Wed, 3 Apr 2024 14:00:02 +0530 Subject: [PATCH 1/5] NXDRIVE: Fix use of insecure SSL/TLS version: security alert-#4 --- nxdrive/utils.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nxdrive/utils.py b/nxdrive/utils.py index 1b7c5cec92..051744564a 100644 --- a/nxdrive/utils.py +++ b/nxdrive/utils.py @@ -604,7 +604,10 @@ def retrieve_ssl_certificate(hostname: str, /, *, port: int = 443) -> str: import ssl with ssl.create_connection((hostname, port)) as conn: # type: ignore - with ssl.SSLContext().wrap_socket(conn, server_hostname=hostname) as sock: + # Declaring a minimum version to restrict the protocol + context = ssl.create_default_context() + context.minimum_version = ssl.TLSVersion.TLSv1_2 + with context.wrap_socket(conn, server_hostname=hostname) as sock: cert_data: bytes = sock.getpeercert(binary_form=True) # type: ignore return ssl.DER_cert_to_PEM_cert(cert_data) From f89e90e3b678d1e043ea322f8c582d0f99dd0a96 Mon Sep 17 00:00:00 2001 From: Sweta Yadav Date: Wed, 10 Apr 2024 11:27:48 +0530 Subject: [PATCH 2/5] NXDRIVE-2920: Upgrade to TLS 1.2 --- docs/changes/5.5.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/changes/5.5.0.md b/docs/changes/5.5.0.md index 157c57adb6..99d8c3eb10 100644 --- a/docs/changes/5.5.0.md +++ b/docs/changes/5.5.0.md @@ -6,7 +6,7 @@ Release date: `2024-xx-xx` - [NXDRIVE-2882](https://jira.nuxeo.com/browse/NXDRIVE-2882): fix_db should create dump.sql in same dir as db - [NXDRIVE-2901](https://jira.nuxeo.com/browse/NXDRIVE-2901): Authorization Error for OAuth -- [NXDRIVE-2](https://jira.nuxeo.com/browse/NXDRIVE-2): +- [NXDRIVE-2920](https://jira.nuxeo.com/browse/NXDRIVE-2920): Upgrade to TLS 1.2 ### Direct Edit From f6cb7165fa683d0f1217bd3a0f9562454e8732d7 Mon Sep 17 00:00:00 2001 From: Sweta Yadav Date: Fri, 12 Apr 2024 11:33:36 +0530 Subject: [PATCH 3/5] NXDRIVE-2920: Upgrade to TLS 1.2 --- nxdrive/utils.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nxdrive/utils.py b/nxdrive/utils.py index 051744564a..63d67f7b19 100644 --- a/nxdrive/utils.py +++ b/nxdrive/utils.py @@ -606,7 +606,9 @@ def retrieve_ssl_certificate(hostname: str, /, *, port: int = 443) -> str: with ssl.create_connection((hostname, port)) as conn: # type: ignore # Declaring a minimum version to restrict the protocol context = ssl.create_default_context() - context.minimum_version = ssl.TLSVersion.TLSv1_2 + context.minimum_version = getattr( + ssl.TLSVersion, os.getenv("NXDRIVE_TLS_VERSION", "TLSv1_2") + ) with context.wrap_socket(conn, server_hostname=hostname) as sock: cert_data: bytes = sock.getpeercert(binary_form=True) # type: ignore return ssl.DER_cert_to_PEM_cert(cert_data) From 75bc2f3d7d723eaf81ee4f4fed2996c4cd817c2e Mon Sep 17 00:00:00 2001 From: Sweta Yadav Date: Mon, 15 Apr 2024 12:37:51 +0530 Subject: [PATCH 4/5] NXDRIVE-2920: Upgrade to TLS 1.2 --- nxdrive/utils.py | 6 +++--- tools/skiplist.py | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/nxdrive/utils.py b/nxdrive/utils.py index 63d67f7b19..0917edd682 100644 --- a/nxdrive/utils.py +++ b/nxdrive/utils.py @@ -68,6 +68,8 @@ "notBefore": "N/A", } +MINIMUM_TLS_VERSION = "TLSv1_2" + log = getLogger(__name__) @@ -606,9 +608,7 @@ def retrieve_ssl_certificate(hostname: str, /, *, port: int = 443) -> str: with ssl.create_connection((hostname, port)) as conn: # type: ignore # Declaring a minimum version to restrict the protocol context = ssl.create_default_context() - context.minimum_version = getattr( - ssl.TLSVersion, os.getenv("NXDRIVE_TLS_VERSION", "TLSv1_2") - ) + context.minimum_version = getattr(ssl.TLSVersion, MINIMUM_TLS_VERSION) with context.wrap_socket(conn, server_hostname=hostname) as sock: cert_data: bytes = sock.getpeercert(binary_form=True) # type: ignore return ssl.DER_cert_to_PEM_cert(cert_data) diff --git a/tools/skiplist.py b/tools/skiplist.py index 57a411e5fd..4f8a1048c4 100644 --- a/tools/skiplist.py +++ b/tools/skiplist.py @@ -22,6 +22,7 @@ CliHandler.unbind_server # Used by the arguments parser CustomWindow.keyPressEvent # Called by base class _.close_settings_too # Used by Appiclation.show_filters() +context.minimum_version # Used to set TSL minimum version DirectTransferModel.destination_link # Used in QML DocPair.last_sync_error_date # Check NXDRIVE-1804 Download.transfer_type # Used in QML From b6166d918de2823ed9986b2e0bcb54d2dec57ab7 Mon Sep 17 00:00:00 2001 From: Sweta Yadav Date: Mon, 15 Apr 2024 12:39:13 +0530 Subject: [PATCH 5/5] NXDRIVE-2920: Upgrade to TLS 1.2 --- tools/skiplist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/skiplist.py b/tools/skiplist.py index 4f8a1048c4..a828329689 100644 --- a/tools/skiplist.py +++ b/tools/skiplist.py @@ -22,7 +22,7 @@ CliHandler.unbind_server # Used by the arguments parser CustomWindow.keyPressEvent # Called by base class _.close_settings_too # Used by Appiclation.show_filters() -context.minimum_version # Used to set TSL minimum version +context.minimum_version # Used to set TLS minimum version DirectTransferModel.destination_link # Used in QML DocPair.last_sync_error_date # Check NXDRIVE-1804 Download.transfer_type # Used in QML