Add _initialize_ssl_context with min_tls.

jakeichikawasalesforce · jakeichikawasalesforce · commit b7fef843727f · 2024-06-19T10:25:31.000-07:00
diff --git a/tabpy/tabpy_server/app/app.py b/tabpy/tabpy_server/app/app.py
@@ -5,6 +5,7 @@
 import os
 import shutil
 import signal
+import ssl
 import sys
 import _thread
 
@@ -83,6 +84,23 @@ def __init__(self, config_file, disable_auth_warning=True):
 
         self._parse_config(config_file)
 
+    def _initialize_ssl_context(self):
+        ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+
+        ssl_context.load_cert_chain(
+            certfile=self.settings[SettingsParameters.CertificateFile],
+            keyfile=self.settings[SettingsParameters.KeyFile]
+        )
+        
+        min_tls = self.settings.get(SettingsParameters.MinimumTLSVersion)
+        try: 
+            ssl_context.minimum_version = ssl.TLSVersion[min_tls]
+            logger.info(f"Setting minimum TLS version to: {min_tls}")
+        except KeyError:
+            logger.warning(f"Unrecognized value for TABPY_MINIMUM_TLS_VERSION: {min_tls}")
+
+        return ssl_context
+
     def _get_tls_certificates(self, config):
         tls_certificates = []
         cert = config[SettingsParameters.CertificateFile]
@@ -127,10 +145,7 @@ def run(self):
         protocol = self.settings[SettingsParameters.TransferProtocol]
         ssl_options = None
         if protocol == "https":
-            ssl_options = {
-                "certfile": self.settings[SettingsParameters.CertificateFile],
-                "keyfile": self.settings[SettingsParameters.KeyFile],
-            }
+            ssl_options = self._initialize_ssl_context()
         elif protocol != "http":
             msg = f"Unsupported transfer protocol {protocol}."
             logger.critical(msg)
@@ -328,6 +343,8 @@ def _parse_config(self, config_file):
             (SettingsParameters.CertificateFile, ConfigParameters.TABPY_CERTIFICATE_FILE,
              None, None),
             (SettingsParameters.KeyFile, ConfigParameters.TABPY_KEY_FILE, None, None),
+            (SettingsParameters.MinimumTLSVersion, ConfigParameters.TABPY_MINIMUM_TLS_VERSION, 
+             "TLSv1_2", None),
             (SettingsParameters.StateFilePath, ConfigParameters.TABPY_STATE_PATH,
              os.path.join(pkg_path, "tabpy_server"), None),
             (SettingsParameters.StaticPath, ConfigParameters.TABPY_STATIC_PATH,
