Undid change to ssl_context creation.

EcoG-io · May 23, 2023 · 7fa3c0a · 7fa3c0a
1 parent 3a20c61
commit 7fa3c0a
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/iso15118/shared/security.py b/iso15118/shared/security.py
@@ -5,7 +5,7 @@
 from base64 import urlsafe_b64encode
 from datetime import datetime
 from enum import Enum, auto
-from ssl import DER_cert_to_PEM_cert, Purpose, SSLContext, SSLError, VerifyMode
+from ssl import DER_cert_to_PEM_cert, SSLContext, SSLError, VerifyMode
 from typing import Dict, List, Optional, Tuple, Union
 
 from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm
@@ -128,11 +128,13 @@ def get_ssl_context(server_side: bool) -> Optional[SSLContext]:
     """
 
     if ENABLE_TLS_1_3:
-        ssl_context = ssl.create_default_context(
-            purpose=Purpose.CLIENT_AUTH if server_side else Purpose.SERVER_AUTH,
-            cafile=CertPath.OEM_ROOT_PEM if server_side else CertPath.V2G_ROOT_PEM,
-        )
+        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
     else:
+        # Specifying protocol as `PROTOCOL_TLS` does best effort.
+        # TLSv1.3 will be attempted and would fallback to 1.2 if not possible.
+        # However, there may be TLS clients that can't perform
+        # 1.2 fallback, here we explicitly set the TLS version
+        # to 1.2, to be sure we won't fall into connection issues
         ssl_context = SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
 
     if server_side:
@@ -1522,4 +1524,4 @@ class KeyPasswordPath(str, Enum):
     )
     MO_SUB_CA2_PASSWORD = os.path.join(
         PKI_PATH, "iso15118_2/private_keys/moSubCA2LeafPassword.txt"
-    )
+    )