Julien Delange • Monday, October 17, 2022
AUTHOR
JD
Julien Delange, Founder and CEO
Julien is the CEO of Codiga. Before starting Codiga, Julien was a software engineer at Twitter and Amazon Web Services.
Julien has a PhD in computer science from Universite Pierre et Marie Curie in Paris, France.
What is the ssl Python module?
The Python ssl module provides functions and classes
to use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure communication both server and client side.
The SSL module is a standard Python module and is widely used across the Python ecosystem, especially for distributed systems with programs that need to communicate securely.
What is SSL? Is it secure?
Secure Sockets Layer (SSL) is a protocol now deprecated (since 2011 for SSLv2 and 2015 for SSLv3). Since then, the TLS protocol has taken over (first with TLS 1.0 and now with TLS1.3).
When using secure communication, developers should use at least TLS 1.1. And for this reason, developers must avoid any prior protocols (SSLv2, SSLv3, TLS1.0).
The Wikipedia Transport Security Layer has an accurate history of SSL and TLS versions.
Why the ssl Python module may be unsafe?
For backward-compatibility reasons, the ssl Python module still supports old and deprecated
protocols. But these protocols should not be used by developers. They should instead use the TLS protocol
that is replacing SSL.
MITRE published a CWE about this special issue (Use of a Broken or Risky Cryptographic Algorithm), warning developers not to use an outdated security protocol.
How to safely and securely use the subprocess Python module?
When using the ssl module directly, avoid deprecated protocols. When using socket functions (such as
with wrap_socket) make sure the protocol passed as a parameter is not outdated.
There is, for example of a new socket using the outdated SSLv3 protocol.
remote = ssl.wrap_socket(s, ca_certs= CA, cert_reqs=ssl.CERT_REQUIRED, ssl_version = ssl.PROTOCOL_SSLv3)
Instead, developers should use the TLS protocol, as shown below.
remote = ssl.wrap_socket(s, ca_certs= CA, cert_reqs=ssl.CERT_REQUIRED, ssl_version = ssl.PROTOCOL_TLS)
Automatically detect unsafe use of the ssl module
Codiga provides IDE plugins and integrations with GitHub, GitLab, or Bitbucket to detect unsafe usage of the Python ssl module.
The Codiga static code analysis not only detects unsafe code but also suggests fixes to correct it. There is a dedicated rule to detect unsafe usage of the ssl module.
To use this rule consistently, all you need to do is to install the integration in your IDE (for VS Code or JetBrains) or code management system and add a codiga.yml file at the root of your profile with the following content:
rulesets:
- python-security
It will then check all your Python code against 100+ rules that detect unsafe and insecure code and suggests fixes for each of them.