Skip to content

Commit e8a41f7

Browse files
committed
Add documentation.
1 parent dfe3fc6 commit e8a41f7

File tree

4 files changed

+124
-0
lines changed

4 files changed

+124
-0
lines changed
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p> The <code>ssl</code> library defaults to an insecure version of
7+
SSL/TLS when no specific protocol version is specified. This may leave
8+
the connection vulnerable to attack.
9+
</p>
10+
11+
</overview>
12+
<recommendation>
13+
14+
<p>
15+
Ensure that a modern, strong protocol is used. All versions of SSL,
16+
and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or
17+
above is strongly recommended. If no explicit
18+
<code>ssl_version</code> is specified, the default
19+
<code>PROTOCOL_TLS</code> is chosen. This protocol is insecure and
20+
should not be used.
21+
</p>
22+
23+
</recommendation>
24+
<example>
25+
26+
<p>
27+
The following code shows a variety of ways of setting up a
28+
connection using SSL or TLS. They are all potentially insecure because the
29+
default version is used.
30+
</p>
31+
32+
<sample src="examples/insecure_default_protocol.py" />
33+
34+
<p>
35+
In all of the above cases, a secure protocol should be used instead.
36+
</p>
37+
<p>
38+
Note that <code>ssl.wrap_socket</code> has been deprecated in
39+
Python 3.7. A preferred alternative is to use
40+
<code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and
41+
3.2 and later versions.
42+
</p>
43+
</example>
44+
45+
<references>
46+
<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
47+
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
48+
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
49+
</references>
50+
51+
</qhelp>
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>
7+
Using a broken or weak cryptographic protocol may make a connection
8+
vulnerable to interference from an attacker.
9+
</p>
10+
11+
</overview>
12+
<recommendation>
13+
14+
<p>
15+
Ensure that a modern, strong protocol is used. All versions of SSL,
16+
and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or
17+
above is strongly recommended.
18+
</p>
19+
20+
</recommendation>
21+
<example>
22+
23+
<p>
24+
The following code shows a variety of ways of setting up a
25+
connection using SSL or TLS. They are all insecure because of the
26+
version specified.
27+
</p>
28+
29+
<sample src="examples/insecure_protocol.py" />
30+
31+
<p>
32+
In all of the above cases, a secure protocol should be used instead.
33+
</p>
34+
<p>
35+
Note that <code>ssl.wrap_socket</code> has been deprecated in
36+
Python 3.7. A preferred alternative is to use
37+
<code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and
38+
3.2 and later versions.
39+
</p>
40+
</example>
41+
42+
<references>
43+
<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
44+
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
45+
<li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
46+
<li>pyOpenSSL documentation: <a href="https://pyopenssl.org/en/stable/api/ssl.html"> An interface to the SSL-specific parts of OpenSSL</a>.</li>
47+
</references>
48+
49+
</qhelp>
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
import ssl
2+
import socket
3+
4+
# Using the deprecated ssl.wrap_socket method
5+
ssl.wrap_socket(socket.socket())
6+
7+
# Using SSLContext
8+
context = ssl.SSLContext()
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
import ssl
2+
import socket
3+
4+
# Using the deprecated ssl.wrap_socket method
5+
ssl.wrap_socket(socket.socket(), ssl_version=ssl.PROTOCOL_SSLv2)
6+
7+
# Using SSLContext
8+
context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3)
9+
10+
# Using pyOpenSSL
11+
12+
from pyOpenSSL import SSL
13+
14+
context = SSL.Context(SSL.TLSv1_METHOD)
15+
16+

0 commit comments

Comments
 (0)