Skip to content

Commit

Permalink
Fix code scanning alert no. 1: Use of insecure SSL/TLS version (#25)
Browse files Browse the repository at this point in the history
Fixes
[https://github.com/andreasgriffin/bitcoin-safe/security/code-scanning/1](https://github.com/andreasgriffin/bitcoin-safe/security/code-scanning/1)

To fix the problem, we need to ensure that the SSL context explicitly
disallows insecure TLS versions and only allows TLS 1.2 or higher. This
can be done by setting the `minimum_version` attribute of the SSL
context to `ssl.TLSVersion.TLSv1_2`.

The best way to fix the problem without changing existing functionality
is to modify the SSL context creation in the
`get_electrum_server_version` function. Specifically, we will set the
`minimum_version` attribute of the context to `ssl.TLSVersion.TLSv1_2`
right after creating the context with `ssl.create_default_context()`.


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
  • Loading branch information
1 parent 2f2f932 commit b1c54d8
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions bitcoin_safe/gui/qt/network_settings/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ def get_electrum_server_version(host: str, port: int, use_ssl: bool = True, time
ssock: Optional[socket.socket] = None
if use_ssl:
context = ssl.create_default_context()
context.minimum_version = ssl.TLSVersion.TLSv1_2
ssock = context.wrap_socket(sock, server_hostname=host)
else:
ssock = sock
Expand Down

0 comments on commit b1c54d8

Please sign in to comment.