From f22db2a30b305ba15019fb77463e42c2022cfe86 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 7 Apr 2021 08:32:21 +0200
Subject: [PATCH] Python: One family to rule them all...

---
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 73ab52be807..82c251f3f81 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -71,15 +71,10 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
   override DataFlow::CfgNode getContext() { result = this }
 
   override ProtocolVersion getUnrestriction() {
-    // see https://www.openssl.org/docs/man1.1.0/man3/TLS_method.html
-    family = "TLS" and
-    result in ["SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
-    or
-    // This can negotiate a TLS 1.3 connection (!)
-    // see
-    // - https://docs.python.org/3/library/ssl.html#ssl-contexts
-    // - https://www.openssl.org/docs/man1.0.2/man3/TLSv1_method.html
-    family = "SSLv23" and
+    // There is only one family, the two names are aliases in OpenSSL.
+    // see https://github.com/openssl/openssl/blob/13888e797c5a3193e91d71e5f5a196a2d68d266f/include/openssl/ssl.h.in#L1953-L1955
+    family in ["SSLv23", "TLS"] and
+    // see https://docs.python.org/3/library/ssl.html#ssl-contexts
     result in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }