Use of insecure SSL/TLS versionยถ
ID: py/insecure-protocol
Kind: problem
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-327
Query suites:
- python-code-scanning.qls
- python-security-extended.qls
- python-security-and-quality.qls
Click to see the query in the CodeQL repository
Using a broken or weak cryptographic protocol may make a connection vulnerable to interference from an attacker.
Recommendationยถ
Ensure that a modern, strong protocol is used. All versions of SSL, and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or above is strongly recommended.
Exampleยถ
The following code shows a variety of ways of setting up a connection using SSL or TLS. They are all insecure because of the version specified.
import ssl
import socket
# Using the deprecated ssl.wrap_socket method
ssl.wrap_socket(socket.socket(), ssl_version=ssl.PROTOCOL_SSLv2)
# Using SSLContext
context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)
# Using pyOpenSSL
from pyOpenSSL import SSL
context = SSL.Context(SSL.TLSv1_METHOD)
All cases should be updated to use a secure protocol, such as PROTOCOL_TLSv1_1.
Note that ssl.wrap_socket has been deprecated in Python 3.7. A preferred alternative is to use ssl.SSLContext, which is supported in Python 2.7.9 and 3.2 and later versions.
Referencesยถ
- Wikipedia: Transport Layer Security.
- Python 3 documentation: class ssl.SSLContext.
- Python 3 documentation: ssl.wrap_socket.
- pyOpenSSL documentation: An interface to the SSL-specific parts of OpenSSL.
- Common Weakness Enumeration: CWE-327.