andrewmusselman opened a new issue, #678:
URL: https://github.com/apache/tooling-trusted-releases/issues/678
**ASVS Reference:** 11.3.2 (Finding 2 — Informational)
### Description
TLS configuration in `atr/util.py` (~line 259) and `atr/mail.py` (~line 109)
uses `ssl.create_default_context()` with `minimum_version = TLSv1_2` but does
not explicitly restrict cipher suites. Python 3.10+ defaults are secure (AEAD
ciphers prioritized, weak ciphers excluded), but explicit configuration
provides defense-in-depth and makes the security posture auditable.
### Current code
```python
def create_secure_ssl_context() -> ssl.SSLContext:
ctx = ssl.create_default_context()
ctx.check_hostname = True
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.minimum_version = ssl.TLSVersion.TLSv1_2
return ctx
```
### Suggested enhancement
1. Warn if we don't use defaults
2. Do this at startup
3. Document it for the LLM in `atr/docs`
```python
def create_secure_ssl_context() -> ssl.SSLContext:
ctx = ssl.create_default_context()
ctx.check_hostname = True
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.minimum_version = ssl.TLSVersion.TLSv1_2
ctx.set_ciphers('ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20')
return ctx
```
### Severity
Informational — The current configuration is compliant. This is a hardening
recommendation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
