Synchronous Access of ssl without Timeout
The ssl.get_server_certificate() function is used to retrieve the
certificate from an SSL-enabled server. By default, this function does not
enforce a timeout on the network connection, which means that an application
could block indefinitely if the server is unresponsive or experiences a
network issue. This can result in resource exhaustion, Denial of Service
(DoS), or unresponsive behavior in the application, especially in production
environments.
This rule ensures that a timeout parameter is provided when calling
ssl.get_server_certificate() to prevent the risk of indefinite blocking
during the SSL certificate retrieval process.
If no timeout is specified in ssl.get_server_certificate(), the application
may block indefinitely while waiting for a response from the server. This can
lead to resource exhaustion, slow performance, or unresponsive behavior in the
application.
Example
import ssl
cert = ssl.get_server_certificate(("example.com", 443))
Remediation
- Python 3.10 and Later: Always provide a timeout parameter when using
ssl.get_server_certificate(). - Python Versions Before 3.10: Use
socket.setdefaulttimeout()to globally enforce a timeout for all socket connections, including those made byssl.get_server_certificate().
import ssl
cert = ssl.get_server_certificate(("example.com", 443), timeout=5)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY046) or
rule category name (no_timeout).
- Using rule ID
- Using category name
import ssl
# suppress: PY046
cert = ssl.get_server_certificate(("example.com", 443))
import ssl
# suppress: no_timeout
cert = ssl.get_server_certificate(("example.com", 443))