|
3 | 3 | "qhelp.dtd"> |
4 | 4 | <qhelp> |
5 | 5 | <overview> |
6 | | - <p> The <code>ssl</code> library defaults to an insecure version of |
7 | | - SSL/TLS when no specific protocol version is specified. This may leave |
8 | | - the connection vulnerable to attack. |
| 6 | + <p> |
| 7 | + The <code>ssl.wrap_socket</code> function defaults |
| 8 | + to an insecure version of SSL/TLS when no specific protocol version is |
| 9 | + specified. This may leave the connection vulnerable to attack. |
9 | 10 | </p> |
10 | 11 |
|
11 | 12 | </overview> |
12 | 13 | <recommendation> |
13 | 14 |
|
14 | 15 | <p> |
15 | 16 | Ensure that a modern, strong protocol is used. All versions of SSL, |
16 | | - and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or |
| 17 | + and TLS 1.0 and 1.1 are known to be vulnerable to attacks. Using TLS 1.2 or |
17 | 18 | above is strongly recommended. If no explicit |
18 | 19 | <code>ssl_version</code> is specified, the default |
19 | | - <code>PROTOCOL_TLS</code> is chosen. This protocol is insecure and |
20 | | - should not be used. |
| 20 | + <code>PROTOCOL_TLS</code> is chosen. This protocol is insecure because it |
| 21 | + allows TLS 1.0 and TLS 1.1 and so should not be used. |
21 | 22 | </p> |
22 | 23 |
|
23 | 24 | </recommendation> |
|
34 | 35 | <p> |
35 | 36 | Both of the cases above should be updated to use a secure protocol |
36 | 37 | instead, for instance by specifying |
37 | | - <code>ssl_version=PROTOCOL_TLSv1_1</code> as a keyword argument. |
| 38 | + <code>ssl_version=PROTOCOL_TLSv1_2</code> as a keyword argument. |
| 39 | + </p> |
| 40 | + <p> |
| 41 | + The latter example can also be made secure by modifying the created |
| 42 | + context before it is used to create a connection. Therefore it will not be |
| 43 | + flagged by this query. However, if a connection is created before |
| 44 | + the context has been secured (for example, by setting the value of <code>minimum_version</code>), |
| 45 | + then the code should be flagged by the query <code>py/insecure-protocol</code>. |
38 | 46 | </p> |
39 | 47 | <p> |
40 | 48 | Note that <code>ssl.wrap_socket</code> has been deprecated in |
41 | | - Python 3.7. A preferred alternative is to use |
42 | | - <code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and |
43 | | - 3.2 and later versions. |
| 49 | + Python 3.7. The recommended alternatives are: |
44 | 50 | </p> |
| 51 | + <ul> |
| 52 | + <li><code>ssl.SSLContext</code> - supported in Python 2.7.9, |
| 53 | + 3.2, and later versions</li> |
| 54 | + <li><code>ssl.create_default_context</code> - a convenience function, |
| 55 | + supported in Python 3.4 and later versions.</li> |
| 56 | + </ul> |
| 57 | + |
| 58 | + <p> |
| 59 | + Even when you use these alternatives, you should |
| 60 | + ensure that a safe protocol is used. The following code illustrates |
| 61 | + how to use flags (available since Python 3.2) or the `minimum_version` |
| 62 | + field (favored since Python 3.7) to restrict the protocols accepted when |
| 63 | + creating a connection. |
| 64 | + </p> |
| 65 | + |
| 66 | + <sample src="examples/secure_default_protocol.py" /> |
45 | 67 | </example> |
46 | 68 |
|
47 | 69 | <references> |
48 | 70 | <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li> |
49 | 71 | <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li> |
50 | 72 | <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li> |
| 73 | + <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#functions-constants-and-exceptions"> notes on context creation</a>.</li> |
| 74 | + <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl-security"> notes on security considerations</a>.</li> |
51 | 75 | </references> |
52 | 76 |
|
53 | 77 | </qhelp> |
0 commit comments