Pattern: Use of insecure SSL/TLS as method parameter value
Issue: -
Several highly publicized exploitable flaws have been discovered in all versions of SSL and early versions of TLS. It is strongly recommended that use of the following known broken protocol versions be avoided:
- SSL v2
- SSL v3
- TLS v1
- TLS v1.1
This rule scans for Python methods with default parameter values that specify the use of broken SSL/TLS protocol versions. Currently,
detection supports methods using Python's native SSL/TLS support and the pyOpenSSL module.
Example of insecure code:
import ssl
from pyOpenSSL import SSL
def open_ssl_socket(version=SSL.TLSv1_METHOD):
passExample of secure code:
import ssl
from pyOpenSSL import SSL
def open_ssl_socket(version=SSL.TLSv1_2_METHOD):
passWhen using SSLv23 it is important to also provide flags to explicitly exclude bad versions of SSL/TLS from the protocol versions considered. Both the Python native and pyOpenSSL modules provide the OP_NO_SSLv2 and OP_NO_SSLv3 flags for this purpose.