Inadequate Encryption Strength Using Weak SSL Protocolsβ
The Python pyopenssl modules provide a number of different methods that can
be used to encrypt data. However, some of these methods are no longer
considered secure and should not be used.
The following protocols are considered weak and should not be used:
SSLv2_METHODSSLv3_METHODTLSv1_METHODTLSv1_1_METHOD
These protocols have a number of known security vulnerabilities that can be exploited by attackers. For example, the BEAST attack can be used to steal sensitive data, such as passwords and credit card numbers, from applications that use SSL version 2.
Exampleβ
import OpenSSL
OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv2_METHOD)
Remediationβ
If you need to connect to a server over HTTPS, you should use the
TLS_METHOD, TLS_SERVER_METHOD, or TLS_CLIENT_METHOD methods instead.
The SSLv23_METHOD and TLSv1_2_METHOD methods are also considered secure,
but the aforementioned methods are more future proof as they negotiate a
secure version of the method for you.
import OpenSSL
OpenSSL.SSL.Context(method=OpenSSL.SSL.TLS_METHOD)
False Positivesβ
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY520) or
rule category name (inadequate_encryption_strength).
- Using rule ID
- Using category name
import OpenSSL
# suppress: PY520
OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv2_METHOD)
import OpenSSL
# suppress: inadequate_encryption_strength
OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv2_METHOD)