-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathInsecureDefaultProtocol.qhelp
More file actions
51 lines (43 loc) · 1.89 KB
/
InsecureDefaultProtocol.qhelp
File metadata and controls
51 lines (43 loc) · 1.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p> The <code>ssl</code> library defaults to an insecure version of
SSL/TLS when no specific protocol version is specified. This may leave
the connection vulnerable to attack.
</p>
</overview>
<recommendation>
<p>
Ensure that a modern, strong protocol is used. All versions of SSL,
and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or
above is strongly recommended. If no explicit
<code>ssl_version</code> is specified, the default
<code>PROTOCOL_TLS</code> is chosen. This protocol is insecure and
should not be used.
</p>
</recommendation>
<example>
<p>
The following code shows a variety of ways of setting up a
connection using SSL or TLS. They are all potentially insecure because the
default version is used.
</p>
<sample src="examples/insecure_default_protocol.py" />
<p>
In all of the above cases, a secure protocol should be used instead.
</p>
<p>
Note that <code>ssl.wrap_socket</code> has been deprecated in
Python 3.7. A preferred alternative is to use
<code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and
3.2 and later versions.
</p>
</example>
<references>
<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
</references>
</qhelp>