Improper Certificate Validation Using ssl._create_unverified_context
The Python function ssl._create_unverified_context() creates a SSL context
that does not verify the server's certificate. This means that an attacker can
easily impersonate a legitimate server and fool your application into
connecting to it.
If you use ssl._create_unverified_context, you are opening your application
up to a number of security risks, including:
- Man-in-the-middle attacks
- Session hijacking
- Data theft
Example
import ssl
context = ssl._create_unverified_context()
Remediation
If you need to connect to a server over HTTPS, you should use the
ssl.create_default_context() function instead. This function will verify
the server's certificate, which will help to protect your application from
these security risks.
import ssl
context = ssl.create_default_context()
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY017) or
rule category name (improper_certificate_validation).
- Using rule ID
- Using category name
import ssl
# suppress: PY017
context = ssl._create_unverified_context()
import ssl
# suppress: improper_certificate_validation
context = ssl._create_unverified_context()