should not bypass certificate verification

Documentos > Code Analysis > Static Analysis Rules > should not bypass certificate verification

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/ssl-unverified-context

Language: Python

Severity: Notice

Category: Security

CWE: 295

Description

The call to _create_unverified_context from the ssl module bypass certificates verification. It should not be used and instead, certificates must be verified.

Non-Compliant Code Examples

import xmlrpclib
import ssl

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True, 
                             context=ssl._create_unverified_context()) 
test.list_satellites()

Compliant Code Examples

import xmlrpclib
import ssl

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True)
test.list_satellites()

import xmlrpclib

test = xmlrpclib.ServerProxy('https://admin:bz15h9v9n@localhost:9999/API',
                             verbose=False, use_datetime=True, 
                             context=ssl._create_unverified_context())
test.list_satellites()