hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-06 15:44:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
518d170acdd13516c44340d99d873029c9684ead
codeql/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
Rasmus Lerchedahl Petersen e0352fe763 Python: remove deprecated section of qhelp file
2021-03-26 23:26:24 +01:00

66 lines
2.7 KiB
XML
Raw Blame History

<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using a broken or weak cryptographic protocol may make a connection
vulnerable to interference from an attacker.
</p>
</overview>
<recommendation>
<p>
Ensure that a modern, strong protocol is used. All versions of SSL,
and TLS versions 1.0 and 1.1 are known to be vulnerable to attacks.
Using TLS 1.2 or above is strongly recommended.
</p>
</recommendation>
<example>
<p>
The following code shows a variety of ways of setting up a
connection using SSL or TLS. They are all insecure because of the
version specified.
</p>
<sample src="examples/insecure_protocol.py" />
<p>
All cases should be updated to use a secure protocol, such as
<code>PROTOCOL_TLSv1_2</code>.
</p>
<p>
Note that <code>ssl.wrap_socket</code> has been deprecated in
Python 3.7. The recommended alternatives are:
</p>
<ul>
<li><code>ssl.SSLContext</code> - supported in Python 2.7.9,
3.2, and later versions</li>
<li><code>ssl.create_default_context</code> - a convenience function,
supported in Python 3.4 and later versions.</li>
</ul>
<p>
Even when you use these alternatives, you should
ensure that a safe protocol is used. The following code illustrates
how to use flags (available since Python 3.2) or the `minimum_version`
field (favored since Python 3.7) to restrict the protocols accepted when
creating a connection.
</p>
<sample src="examples/secure_default_protocol.py" />
</example>
<references>
<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#functions-constants-and-exceptions"> notes on context creation</a>.</li>
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl-security"> notes on security considerations</a>.</li>
<li>pyOpenSSL documentation: <a href="https://pyopenssl.org/en/stable/api/ssl.html"> An interface to the SSL-specific parts of OpenSSL</a>.</li>
</references>
</qhelp>
Reference in New Issue View Git Blame Copy Permalink