What is the ssl Python module?
ssl module provides functions and classes
to use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure communication both server and client side.
The SSL module is a standard Python module and is widely used across the Python ecosystem, especially for distributed systems with programs that need to communicate securely.
What is SSL? Is it secure?
Secure Sockets Layer (SSL) is a protocol now deprecated (since 2011 for SSLv2 and 2015 for SSLv3). Since then, the TLS protocol has taken over (first with TLS 1.0 and now with TLS1.3).
When using secure communication, developers should use at least TLS 1.1. And for this reason, developers must avoid any prior protocols (SSLv2, SSLv3, TLS1.0).
The Wikipedia Transport Security Layer has an accurate history of SSL and TLS versions.
Why the ssl Python module may be unsafe?
For backward-compatibility reasons, the
ssl Python module still supports old and deprecated
protocols. But these protocols should not be used by developers. They should instead use the TLS protocol
that is replacing SSL.
MITRE published a CWE about this special issue (Use of a Broken or Risky Cryptographic Algorithm), warning developers not to use an outdated security protocol.
How to safely and securely use the subprocess Python module?
When using the
ssl module directly, avoid deprecated protocols. When using socket functions (such as
wrap_socket) make sure the protocol passed as a parameter is not outdated.
There is, for example of a new socket using the outdated
remote = ssl.wrap_socket(s, ca_certs= CA, cert_reqs=ssl.CERT_REQUIRED, ssl_version = ssl.PROTOCOL_SSLv3)
Instead, developers should use the
TLS protocol, as shown below.
remote = ssl.wrap_socket(s, ca_certs= CA, cert_reqs=ssl.CERT_REQUIRED, ssl_version = ssl.PROTOCOL_TLS)
Automatically detect unsafe use of the ssl module
Codiga provides IDE plugins and integrations with GitHub, GitLab, or Bitbucket to detect unsafe usage of the Python
The Codiga static code analysis not only detects unsafe code but also suggests fixes to correct it. There is a dedicated rule to detect unsafe usage of the
To use this rule consistently, all you need to do is to install the integration in your IDE (for VS Code or JetBrains) or code management system and add a
codiga.yml file at the root of your profile with the following content:
rulesets: - python-security
It will then check all your Python code against 100+ rules that detect unsafe and insecure code and suggests fixes for each of them.