CodeQL documentation

Use of insecure SSL/TLS version

ID: py/insecure-protocol
Kind: problem
Severity: warning
Precision: high
   - security
   - external/cwe/cwe-327
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Using a broken or weak cryptographic protocol may make a connection vulnerable to interference from an attacker.


Ensure that a modern, strong protocol is used. All versions of SSL, and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or above is strongly recommended.


The following code shows a variety of ways of setting up a connection using SSL or TLS. They are all insecure because of the version specified.

import ssl
import socket

# Using the deprecated ssl.wrap_socket method
ssl.wrap_socket(socket.socket(), ssl_version=ssl.PROTOCOL_SSLv2)

# Using SSLContext
context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)

# Using pyOpenSSL

from pyOpenSSL import SSL

context = SSL.Context(SSL.TLSv1_METHOD)

All cases should be updated to use a secure protocol, such as PROTOCOL_TLSv1_1.

Note that ssl.wrap_socket has been deprecated in Python 3.7. A preferred alternative is to use ssl.SSLContext, which is supported in Python 2.7.9 and 3.2 and later versions.