The following security protocols should never be used in Python: SSLv3, SSLv2, TLSv1. For more details, read the SSL module page of the official documentation.
The issue addresses the CWE-757 - selection of less-secure algorithm during negotiation.
Non-Compliant Code Examples
importssldefnewconnect(self):try:s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)remote=ssl.wrap_socket(s,ca_certs=CA,cert_reqs=ssl.CERT_REQUIRED,ssl_version=ssl.PROTOCOL_SSLv3)remote.connect(self.server.seradd)ifnotself.server.seradd[0]==remote.getpeercert()['subjectAltName'][0][1]:logging.error('Server crt error !! Server Name don\'t mach !!')logging.error(remote.getpeercert()['subjectAltName'][0][1])returnifnotself.send_PW(remote):logging.warn('PW error !')returnexceptsocket.error,e:logging.warn(e)return
Compliant Code Examples
importssldefnewconnect(self):try:s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)remote=ssl.wrap_socket(s,ca_certs=CA,cert_reqs=ssl.CERT_REQUIRED,ssl_version=ssl.PROTOCOL_TLS)remote.connect(self.server.seradd)ifnotself.server.seradd[0]==remote.getpeercert()['subjectAltName'][0][1]:logging.error('Server crt error !! Server Name don\'t mach !!')logging.error(remote.getpeercert()['subjectAltName'][0][1])returnifnotself.send_PW(remote):logging.warn('PW error !')returnexceptsocket.error,e:logging.warn(e)return
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- python-security # Rules to enforce Python security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines