CodeQL documentation

Use of insecure SSL/TLS version

ID: py/insecure-protocol
Kind: problem
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-327
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Using a broken or weak cryptographic protocol may make a connection vulnerable to interference from an attacker.

Recommendation

Ensure that a modern, strong protocol is used. All versions of SSL, and TLS versions 1.0 and 1.1 are known to be vulnerable to attacks. Using TLS 1.2 or above is strongly recommended.

Example

The following code shows a variety of ways of setting up a connection using SSL or TLS. They are all insecure because of the version specified.

import ssl
import socket

# Using the deprecated ssl.wrap_socket method
ssl.wrap_socket(socket.socket(), ssl_version=ssl.PROTOCOL_SSLv2)

# Using SSLContext
context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)

# Using pyOpenSSL

from pyOpenSSL import SSL

context = SSL.Context(SSL.TLSv1_METHOD)


All cases should be updated to use a secure protocol, such as PROTOCOL_TLSv1_2.

Note that ssl.wrap_socket has been deprecated in Python 3.7. The recommended alternatives are:

  • ssl.SSLContext - supported in Python 2.7.9, 3.2, and later versions

  • ssl.create_default_context - a convenience function, supported in Python 3.4 and later versions. Even when you use these alternatives, you should ensure that a safe protocol is used. The following code illustrates how to use flags (available since Python 3.2) or the `minimum_version` field (favored since Python 3.7) to restrict the protocols accepted when creating a connection.

import ssl

# Using flags to restrict the protocol
context = ssl.SSLContext()
context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

# Declaring a minimum version to restrict the protocol
context = ssl.create_default_context()
context.minimum_version = ssl.TLSVersion.TLSv1_2

References