Recommendation¶

Ensure that a modern, strong protocol is used. All versions of SSL, and TLS versions 1.0 and 1.1 are known to be vulnerable to attacks. Using TLS 1.2 or above is strongly recommended.

Example¶

The following code shows a variety of ways of setting up a connection using SSL or TLS. They are all insecure because of the version specified.

importsslimportsocket# Using the deprecated ssl.wrap_socket methodssl.wrap_socket(socket.socket(),ssl_version=ssl.PROTOCOL_SSLv2)# Using SSLContextcontext=ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)# Using pyOpenSSLfrompyOpenSSLimportSSLcontext=SSL.Context(SSL.TLSv1_METHOD)

All cases should be updated to use a secure protocol, such asPROTOCOL_TLSv1_2.

Note thatssl.wrap_socket has been deprecated in Python 3.7. The recommended alternatives are:

• ssl.SSLContext - supported in Python 2.7.9, 3.2, and later versions

• ssl.create_default_context - a convenience function, supported in Python 3.4 and later versions.Even when you use these alternatives, you should ensure that a safe protocol is used. The following code illustrates how to use flags (available since Python 3.2) or the `minimum_version` field (favored since Python 3.7) to restrict the protocols accepted when creating a connection.

importssl# Using flags to restrict the protocolcontext=ssl.SSLContext()context.options|=ssl.OP_NO_TLSv1|ssl.OP_NO_TLSv1_1# Declaring a minimum version to restrict the protocolcontext=ssl.create_default_context()context.minimum_version=ssl.TLSVersion.TLSv1_2

References¶

• Wikipedia: Transport Layer Security.

• Python 3 documentation: class ssl.SSLContext.

• Python 3 documentation: ssl.wrap_socket.

• Python 3 documentation: notes on context creation.

• Python 3 documentation: notes on security considerations.

• pyOpenSSL documentation: An interface to the SSL-specific parts of OpenSSL.

• Common Weakness Enumeration:CWE-327.