B503: ssl_with_bad_defaults

bandit.plugins.insecure_ssl_tls.ssl_with_bad_defaults(context, config)[source]

B503: Test for SSL use with bad defaults specified

This plugin is part of a family of tests that detect the use of known bad versions of SSL/TLS, please see ../plugins/ssl_with_bad_version for a complete discussion. Specifically, this plugin test scans for Python methods with default parameter values that specify the use of broken SSL/TLS protocol versions. Currently, detection supports methods using Python’s native SSL/TLS support and the pyOpenSSL module. A MEDIUM severity warning will be reported whenever known broken protocol versions are detected.

Config Options:

This test shares the configuration provided for the standard ../plugins/ssl_with_bad_version test, please refer to its documentation.


>> Issue: Function definition identified with insecure SSL/TLS protocol
version by default, possible security issue.
   Severity: Medium   Confidence: Medium
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: ./examples/ssl-insecure-version.py:28
28  def open_ssl_socket(version=SSL.SSLv2_METHOD):
29      pass

New in version 0.9.0.

Changed in version 1.7.3: CWE information added

Changed in version 1.7.5: Added TLS 1.1