Insecure SSL Version

ID

python.insecure_ssl_version

Severity

critical

Resource

Misconfiguration

Language

Python

Tags

CWE:295, NIST.SP.800-53, OWASP:2021:A2, OWASP:2021:A7, PCI-DSS:6.5.4

Description

Insecure SSL version usage refers to using outdated SSL/TLS protocols that are susceptible to known vulnerabilities. For secure communications, using up-to-date libraries and protocols is essential.

Rationale

Using outdated SSL/TLS versions, such as SSLv2 or SSLv3, exposes applications to numerous vulnerabilities, including man-in-the-middle (MITM) attacks, due to weaknesses like the POODLE attack. Modern best practices recommend using TLSv1.2 or later.

Here is a vulnerable code example for Python:

import ssl

context = ssl.SSLContext(ssl_version=ssl.PROTOCOL_SSLv3) # FLAW

Remediation

To mitigate insecure SSL version usage, always use the most recent and secure TLS versions.

The sanitized version of the previous example would look like this:

import ssl

ssl.SSLContext(ssl_version=ssl.TLSVersion.TLSv1_2)

References

  • CWE-295 :Improper Certificate Validation.