andrewmusselman opened a new issue, #687:
URL: https://github.com/apache/tooling-trusted-releases/issues/687
**ASVS Requirements:** V12.1.1, V12.2.2
**CWE:** CWE-326 (Inadequate Encryption Strength)
**Severity:** LOW
**File:** `atr/ldap.py` (lines ~40–45, ~216–223)
### Description
LDAP connections to `ldap-eu.apache.org` use `ldap3.Server()` with
`use_ssl=True` but do not explicitly configure TLS version constraints or
certificate verification. While Python 3.10+ defaults to TLS 1.2 minimum and
`ldap3` defaults should verify certificates via the system CA store, this is
not explicitly enforced in the code. Both ASVS 12.1.1 (TLS version) and 12.2.2
(publicly trusted certificates) recommend explicit configuration.
### Current code
```python
server = ldap3.Server(LDAP_SERVER_HOST, use_ssl=True) # No explicit TLS
config
```
### Recommended fix
Set the recommended defaults
Suggestion from audit:
```python
import ssl
import ldap3
tls_config = ldap3.Tls(
validate=ssl.CERT_REQUIRED,
version=ssl.PROTOCOL_TLS_CLIENT,
)
server = ldap3.Server(LDAP_SERVER_HOST, use_ssl=True, tls=tls_config)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
