Use SSLContext at all places where SSL connection could be opened

DiablosOffens · DiablosOffens · commit dc8fb08226c7 · 2025-01-25T02:39:25.000+01:00
Without it connection will fail, at least for url https://login.microsoftonline.com/common/oauth2/v2.0/token and with Python 3.13.1 on Windows. The following error was logged: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1018)
diff --git a/emailproxy.py b/emailproxy.py
@@ -1060,9 +1060,11 @@ def construct_oauth2_permission_url(permission_url, redirect_uri, client_id, sco
     def start_device_authorisation_grant(permission_url):
         """Requests the device authorisation grant flow URI and user code - see https://tools.ietf.org/html/rfc8628"""
         try:
+            ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
+            ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2  # GitHub CodeQL issue 2
             response = urllib.request.urlopen(
                 urllib.request.Request(permission_url, headers={'User-Agent': APP_NAME}),
-                timeout=AUTHENTICATION_TIMEOUT).read()
+                timeout=AUTHENTICATION_TIMEOUT, context=ssl_context).read()
             parsed_result = json.loads(response)
             verification_uri = parsed_result.get('verification_uri_complete', parsed_result['verification_uri'])
             user_code = parsed_result['user_code']
@@ -1187,10 +1189,14 @@ def get_oauth2_authorisation_tokens(token_url, redirect_uri, client_id, client_s
         expires_at = time.time() + expires_in
         while time.time() < expires_at and not EXITING:
             try:
+                ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
+                ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2  # GitHub CodeQL issue 2
+
                 # in all flows except DAG, we make one attempt only
                 response = urllib.request.urlopen(
                     urllib.request.Request(token_url, data=urllib.parse.urlencode(params).encode('utf-8'),
-                                           headers={'User-Agent': APP_NAME}), timeout=AUTHENTICATION_TIMEOUT).read()
+                                           headers={'User-Agent': APP_NAME}), timeout=AUTHENTICATION_TIMEOUT,
+                                           context=ssl_context).read()
                 return json.loads(response)
 
             except urllib.error.HTTPError as e:
@@ -1262,9 +1268,12 @@ def refresh_oauth2_access_token(token_url, client_id, client_secret, jwt_client_
                 params['client_assertion'] = jwt_client_assertion
 
         try:
+            ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
+            ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2  # GitHub CodeQL issue 2
             response = urllib.request.urlopen(
                 urllib.request.Request(token_url, data=urllib.parse.urlencode(params).encode('utf-8'),
-                                       headers={'User-Agent': APP_NAME}), timeout=AUTHENTICATION_TIMEOUT).read()
+                                       headers={'User-Agent': APP_NAME}), timeout=AUTHENTICATION_TIMEOUT,
+                                       context=ssl_context).read()
             token = json.loads(response)
             if 'expires_in' in token:  # some servers return integer values as strings - fix expiry values (GitHub #237)
                 token['expires_in'] = int(token['expires_in'])
