fix(net.py): use ssl.PROTOCOL_TLS_CLIENT as "best practice" in fetch_ssl()

markuslf · markuslf · commit 1cc2b4944bcc · 2025-05-30T20:47:57.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,28 +10,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 
 ## [Unreleased]
 
-tbd
+### Fixed ("fix")
+
+* fix(net.py): use `ssl.PROTOCOL_TLS_CLIENT` as "best practice" in `fetch_ssl()`
+
 
 
 ## v2.2.0
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Added ("feat")
 
 * feat(time.py): add `get_timezone()`
+
+
+### Changed ("refactor", "chore" etc.)
+
 * refactor(net.py): force `fetch_ssl()` to use TLS 1.2+
 * refactor(txt.py): enhance sanitize regex
 
 
+
 ## v2.1.1.15
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * refactor(net.py): add fetch_socket() and fetch_ssl(), improve fetch()
 
 
+
 ## v2.1.1.7
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * refactor(args.py): improve code-style
 * refactor(base.py): improve code-style
@@ -79,7 +88,7 @@ tbd
 * shell.py: Fix special character decoding in Windows output by explicitly switching to codepage 65001
 
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * docs: improve and convert doc strings to markdown for some libs and create new `docs` folder using `pdoc`
 * refactor(base.py, url.py): make use of txt.sanitize_sensitive_data()
@@ -97,7 +106,7 @@ tbd
 
 ## v2.1.0.4
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * refactor: uptimerobot.py
 
@@ -110,7 +119,7 @@ tbd
 * feat: add uptimerobot.py
 
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * docs(base.py): improve doc strings
 
@@ -123,7 +132,7 @@ tbd
 * fix(txt.py): extract_str()
 
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * chore(endoflifedate.py): bump version numbers
 * chore(tools/update-endoflifedate): add openvpn
@@ -159,7 +168,7 @@ Build, CI/CD:
 * keycloak.py: This library collects some Keycloak related functions that are needed by more than one Keycloak plugin.
 
 
-### Changed ("refactor", "chore", "feat" etc.)
+### Changed ("refactor", "chore" etc.)
 
 * librenms.py: `get_state()` returns STATE_OK instead of STATE_UNKNOWN
 * url.py: Improve error messages and comments
diff --git a/net.py b/net.py
@@ -13,7 +13,7 @@
 """
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2025052001'
+__version__ = '2025053001'
 
 import random
 import re
@@ -327,10 +327,14 @@ def fetch_ssl(host, port, msg=None, timeout=3):
     >>> success, response = fetch_ssl('example.com', 443, b'GET / HTTP/1.0\\r\\nHost: example.com\\r\\n\\r\\n')
     """
     def open_ssl_socket():
-        context = ssl.create_default_context()
-        # forcing TLS 1.2+
-        ctx.options |= ssl.OP_NO_TLSv1
-        ctx.options |= ssl.OP_NO_TLSv1_1
+        # PROTOCOL_TLS_CLIENT automatically disables SSLv2/3 and
+        # TLSv1.0/1.1 on recent OpenSSL builds
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+
+        # context.check_hostname = True
+        # context.verify_mode = ssl.CERT_REQUIRED
+        context.minimum_version = ssl.TLSVersion.TLSv1_2  # enforce at least TLS 1.2 just to be sure
+
         raw_sock = socket.socket(socket.AF_INET, SOCK_TCP)
         return context.wrap_socket(raw_sock, server_hostname=host)
 
