Improper Certificate Validation Using ssl._create_unverified_context

PY017

improper_certificate_validation

CWE-295

⚠️ Warning

---

The Python function ssl._create_unverified_context() creates a SSL context that does not verify the server's certificate. This means that an attacker can easily impersonate a legitimate server and fool your application into connecting to it.

If you use ssl._create_unverified_context, you are opening your application up to a number of security risks, including:

• Man-in-the-middle attacks
• Session hijacking
• Data theft

Example

import ssl


context = ssl._create_unverified_context()

Remediation

If you need to connect to a server over HTTPS, you should use the ssl.create_default_context() function instead. This function will verify the server's certificate, which will help to protect your application from these security risks.

import ssl


context = ssl.create_default_context()

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY017) or rule category name (improper_certificate_validation).

Using rule ID

fix

import ssl


# suppress: PY017
context = ssl._create_unverified_context()

Using category name

fix

import ssl


# suppress: improper_certificate_validation
context = ssl._create_unverified_context()

See also

info

• ssl — TLS/SSL wrapper for socket objects
• CWE-295: Improper Certificate Validation