Configure explicit TLS version constraints for Hypercorn server

[andrewmusselman]

ASVS Requirement: V12.1.1
CWE: CWE-326 (Inadequate Encryption Strength)
Severity: MEDIUM
Files: start-atr.sh, start-dev.sh

Description

The Hypercorn ASGI server startup scripts configure TLS certificates (--keyfile, --certfile) but do not explicitly restrict TLS protocol versions. Depending on system OpenSSL configuration, TLS 1.0 and TLS 1.1 may be enabled on the server side. ASVS 12.1.1 requires that only TLS 1.2 and TLS 1.3 are enabled, with TLS 1.3 as the preferred option.

Current code

# start-atr.sh
exec hypercorn --worker-class uvloop --bind "${BIND}" \
  --keyfile hypercorn/secrets/key.pem \
  --certfile hypercorn/secrets/cert.pem \
  atr.server:app >> /opt/atr/state/hypercorn/logs/hypercorn.log 2>&1

Recommended fix

1. Add puppet config to files in the audit

Create a Hypercorn configuration file with explicit TLS constraints:

# config/hypercorn_ssl.py
import ssl

_ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
_ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
_ssl_context.maximum_version = ssl.TLSVersion.TLSv1_3
_ssl_context.set_ciphers(
    'ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20:!aNULL:!MD5:!DSS'
)

certfile = "hypercorn/secrets/cert.pem"
keyfile = "hypercorn/secrets/key.pem"

Update the startup script to use --config config/hypercorn_ssl.py.