Inadequate Encryption Strength Using Weak SSL Protocols
The Python ssl modules provide a number of different protocols that can be
used to encrypt data. However, some of these protocols are no longer
considered secure and should not be used.
The following protocols are considered weak and should not be used:
ssl.PROTOCOL_SSLv2ssl.PROTOCOL_SSLv3ssl.PROTOCOL_TLSv1ssl.PROTOCOL_TLSv1_1
These protocols have a number of known security vulnerabilities that can be exploited by attackers. For example, the BEAST attack can be used to steal sensitive data, such as passwords and credit card numbers, from applications that use SSL version 2.
Here are some additional reasons why you should not use the weak Python ssl protocols:
- They are not secure. As mentioned above, the weak protocols have a number of known security vulnerabilities that can be exploited by attackers.
- They are not recommended by security experts. Security experts recommend
using the
ssl.PROTOCOL_TLS_SERVERorssl.PROTOCOL_TLS_CLIENTprotocol instead.
Example
import ssl
ssl.get_server_certificate(
("localhost", 443), ssl_version=ssl.PROTOCOL_SSLv2
)
Remediation
If you need to connect to a server over HTTPS, you should use the
ssl.PROTOCOL_TLS_SERVER or ssl.PROTOCOL_TLS_CLIENT protocol instead.
These protocols are more secure than the weak protocols and will help to
protect your application from these security risks.
import ssl
ssl.get_server_certificate(
("localhost", 443), ssl_version=ssl.PROTOCOL_TLSv1_2
)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY018) or
rule category name (inadequate_encryption_strength).
- Using rule ID
- Using category name
import ssl
# suppress: PY018
ssl.get_server_certificate(
("localhost", 443), ssl_version=ssl.PROTOCOL_TLSv1_2
)
import ssl
# suppress: inadequate_encryption_strength
ssl.get_server_certificate(
("localhost", 443), ssl_version=ssl.PROTOCOL_TLSv1_2
)