From 652975dceb712c6ea1506386dc1d78cb7cff7f50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Do=C4=9Fukan=20=C3=87a=C4=9Fatay?= Date: Tue, 10 Mar 2026 14:51:46 +0000 Subject: [PATCH] rsyslog: use ssl.create_default_context for secure TLS Replace manual ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) with ssl.create_default_context(), which is the Python-recommended factory for creating secure TLS contexts. This resolves the CodeQL py/insecure-protocol alert (CWE-327) as CodeQL recognizes create_default_context as inherently safe. This resolves the CodeQL alert for CWE-327 (use of a broken or weak cryptographic algorithm). --- journalpump/rsyslog.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/journalpump/rsyslog.py b/journalpump/rsyslog.py index 0bc6a20..7360ca7 100644 --- a/journalpump/rsyslog.py +++ b/journalpump/rsyslog.py @@ -108,11 +108,8 @@ def __init__( if protocol is None: protocol = "PLAINTEXT" if cacerts is not None or protocol == "SSL": - self.ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + self.ssl_context = ssl.create_default_context(cafile=cacerts) self.ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2 - self.ssl_context.verify_mode = ssl.CERT_REQUIRED - if cacerts: - self.ssl_context.load_verify_locations(cacerts) if certfile: self.ssl_context.load_cert_chain(certfile, keyfile)