[NXDRIVE-2472] Fix a security issue when retrieving a SSL certificate - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 4.0.2
Fix Version/s: 4.5.1
Component/s: Framework

Tags:
- nxDrive
- security
Story Points:
1

Description

Fix a security issue when retrieving a SSL certificate. See https://github.com/nuxeo/nuxeo-drive/security/code-scanning/1 for details.

We should use the default value set in ssl.SSLContext to prevent future similar issues:

Changed in version 3.6: The context is created with secure default values. The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and no MD5 ciphers (except for PROTOCOL_SSLv2).

Attachments

Issue Links

is related to

NXDRIVE-404 Handle custom SSL certificates

Resolved

Is referenced in

PR for master: #2367

PR for master: #2368

links to

Security issue #1

Activity

People

Assignee:

Mickaël Schoentgen

Reporter:

Mickaël Schoentgen

Participants:

Jenkins, Mickaël Schoentgen

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2021-01-11 15:07

Updated:

2021-01-11 19:06

Resolved:

2021-01-11 15:50

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

45m