[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Don't limit the test suite HTTPS server to TLSv1
|
From: |
Tim Rühsen |
|
Subject: |
Re: [Bug-wget] [PATCH] Don't limit the test suite HTTPS server to TLSv1 |
|
Date: |
Sat, 11 Aug 2018 12:56:32 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
Good catch, thanks !
Regards, Tim
On 10.08.2018 14:51, Tomas Hozza wrote:
> In Fedora, we are implementing crypto policies, in order to enhance the
> security of user systems. This is done on the system level by global
> configuration. It may happen that due to the active policy, only
> TLSv1.2 or higher will be available in crypto libraries. While wget as
> a client will by default determine the minimal TLS version supported by
> both client and server, the HTTPS server implementation in testenv/
> hardcodes use of TLSv1. As a result all HTTPS related tests fail in
> case a more hardened crypto policy is set on the Fedora system.
>
> This change removes the explicit TLS version setting and leaves the
> determination of the minimal supported TLS version on the server and
> client.
>
> More information about Fedora change can be found here:
> https://fedoraproject.org/wiki/Changes/StrongCryptoSettings
>
> Signed-off-by: Tomas Hozza <address@hidden>
> ---
> testenv/server/http/http_server.py | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/testenv/server/http/http_server.py
> b/testenv/server/http/http_server.py
> index 434666dd..6d8fc9e8 100644
> --- a/testenv/server/http/http_server.py
> +++ b/testenv/server/http/http_server.py
> @@ -49,7 +49,6 @@ class HTTPSServer(StoppableHTTPServer):
> 'server-key.pem'))
> self.socket = ssl.wrap_socket(
> sock=socket.socket(self.address_family, self.socket_type),
> - ssl_version=ssl.PROTOCOL_TLSv1,
> certfile=CERTFILE,
> keyfile=KEYFILE,
> server_side=True
>