codeql/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp at 8b68912c408d29c392d586dfc1ab1d562f397bfe · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
     <overview>
          <p>
          In version of Python before 3.4, the <code>ssl</code> library defaults
          to an insecure version of SSL/TLS when no specific protocol version is
          specified. This may leave the connection vulnerable to attack.
          </p>

     </overview>
     <recommendation>

          <p>
            Ensure that a modern, strong protocol is used. All versions of SSL,
            and TLS 1.0 and 1.1 are known to be vulnerable to attacks. Using TLS 1.2 or
            above is strongly recommended. If no explicit
            <code>ssl_version</code> is specified, the default
            <code>PROTOCOL_TLS</code> is chosen. This protocol is insecure in that it
            allows TLS 1.0 and TLS 1.1 and so should not be used.
          </p>

     </recommendation>
     <example>

       <p>
         The following code shows two different ways of setting up a connection
         using SSL or TLS. They are both potentially insecure because the
         default version is used.
          </p>

          <sample src="examples/insecure_default_protocol.py" />

          <p>
            Both of the cases above should be updated to use a secure protocol
            instead, for instance by specifying
            <code>ssl_version=PROTOCOL_TLSv1_2</code> as a keyword argument.
          </p>
          <p>
            Note that <code>ssl.wrap_socket</code> has been deprecated in
            Python 3.7. The recommended alternatives are:
          </p>
          <ul>
            <li><code>ssl.SSLContext</code> - supported in Python 2.7.9,
                  3.2, and later versions</li>
            <li><code>ssl.create_default_context</code> - a convenience function,
                  supported in Python 3.4 and later versions.</li>
          </ul>
          <p>
            Note also that, even using these alternatives, it is recommended to
            ensure that a safe protocol is being used. The following code illustrates
            how to use either flags (available since Python 3.2) or the `minimum_version`
            field (favored since Python 3.7) to restrict the protocols accepted when
            creating a connection.
          </p>

          <sample src="examples/secure_default_protocol.py" />
     </example>

     <references>
       <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#functions-constants-and-exceptions"> notes on context creation</a>.</li>
       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl-security"> notes on security considerations</a>.</li>
     </references>

</qhelp>