B504: ssl_with_no_version

bandit.plugins.insecure_ssl_tls.ssl_with_no_version(context)

B504: Test for SSL use with no version specified

This plugin is part of a family of tests that detect the use of known bad versions of SSL/TLS, please see ../plugins/ssl_with_bad_version for a complete discussion. Specifically, This plugin test scans for specific methods in Python’s native SSL/TLS support and the pyOpenSSL module that configure the version of SSL/TLS protocol to use. These methods are known to provide default value that maximize compatibility, but permit use of the aforementioned broken protocol versions. A LOW severity warning will be reported whenever this is detected.

Config Options:

This test shares the configuration provided for the standard ../plugins/ssl_with_bad_version test, please refer to its documentation.

Example:

>> Issue: ssl.wrap_socket call with no SSL/TLS protocol version
specified, the default SSLv23 could be insecure, possible security
issue.
   Severity: Low   Confidence: Medium
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: ./examples/ssl-insecure-version.py:23
22
23  ssl.wrap_socket()
24

See also

• ssl_with_bad_version()

• ssl_with_bad_defaults()

• https://heartbleed.com/

• https://en.wikipedia.org/wiki/POODLE

• https://security.openstack.org/guidelines/dg_move-data-securely.html

Added in version 0.9.0.

Changed in version 1.7.3: CWE information added