From 671997d7a4dce992998c12ad8b14abcb2fad8659 Mon Sep 17 00:00:00 2001
From: gitworkflows <118260833+gitworkflows@users.noreply.github.com>
Date: Wed, 9 Oct 2024 05:48:25 +0600
Subject: [PATCH] fix: Default version of SSL/TLS

To fix the problem, we should replace the deprecated ssl.wrap_socket method with a more secure and modern approach. The recommended way is to use ssl.SSLContext or ssl.create_default_context to ensure that a secure protocol like TLS 1.2 or above is used.

Create an SSLContext object and set its minimum_version to ssl.TLSVersion.TLSv1_2.
Wrap the server socket using this context instead of ssl.wrap_socket.
---
 docker/ciscoasa/dist/asa_server.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker/ciscoasa/dist/asa_server.py b/docker/ciscoasa/dist/asa_server.py
index e1883870..8950d97d 100644
--- a/docker/ciscoasa/dist/asa_server.py
+++ b/docker/ciscoasa/dist/asa_server.py
@@ -290,7 +290,10 @@ if __name__ == '__main__':
             if not cert:
                 import gencert
                 cert = gencert.gencert()
-            httpd.socket = ssl.wrap_socket(httpd.socket, certfile=cert, server_side=True)
+            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            context.minimum_version = ssl.TLSVersion.TLSv1_2
+            context.load_cert_chain(certfile=cert)
+            httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
 
         logger.info('Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
         hpfl.log('info', 'Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))