andrewmusselman opened a new issue, #684:
URL: https://github.com/apache/tooling-trusted-releases/issues/684
**ASVS Requirement:** V12.1.1
**CWE:** CWE-326 (Inadequate Encryption Strength)
**Severity:** MEDIUM
**Files:** `start-atr.sh`, `start-dev.sh`
### Description
The Hypercorn ASGI server startup scripts configure TLS certificates
(`--keyfile`, `--certfile`) but do not explicitly restrict TLS protocol
versions. Depending on system OpenSSL configuration, TLS 1.0 and TLS 1.1 may be
enabled on the server side. ASVS 12.1.1 requires that only TLS 1.2 and TLS 1.3
are enabled, with TLS 1.3 as the preferred option.
### Current code
```bash
# start-atr.sh
exec hypercorn --worker-class uvloop --bind "${BIND}" \
--keyfile hypercorn/secrets/key.pem \
--certfile hypercorn/secrets/cert.pem \
atr.server:app >> /opt/atr/state/hypercorn/logs/hypercorn.log 2>&1
```
### Recommended fix
1. Add puppet config to files in the audit
Create a Hypercorn configuration file with explicit TLS constraints:
```python
# config/hypercorn_ssl.py
import ssl
_ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
_ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
_ssl_context.maximum_version = ssl.TLSVersion.TLSv1_3
_ssl_context.set_ciphers(
'ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20:!aNULL:!MD5:!DSS'
)
certfile = "hypercorn/secrets/cert.pem"
keyfile = "hypercorn/secrets/key.pem"
```
Update the startup script to use `--config config/hypercorn_ssl.py`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
