rspec/rules/S4423/python/rule.adoc

Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
This rule raises an issue when an SSL/TLS context is created with an insecure protocol version, i.e. when one of the following constants is detected in the code:
* <code>OpenSSL.SSL.SSLv3_METHOD</code> (Use instead <code>OpenSSL.SSL.TLSv1_2_METHOD</code>)
* <code>ssl.PROTOCOL_SSLv3</code> (Use instead <code>ssl.PROTOCOL_TLSv1_2</code>)

Protocol versions different from TLSv1.2 and  TLSv1.3 are considered insecure.

== Noncompliant Code Example

----
from OpenSSL import SSL

SSL.Context(SSL.SSLv3_METHOD)  # Noncompliant
----

----
import ssl

ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant
----

== Compliant Solution

----
from OpenSSL import SSL

SSL.Context(SSL.TLSv1_2_METHOD)  # Compliant
----

----
import ssl

ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant
----

include::../see.adoc[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.`
			`This rule raises an issue when an SSL/TLS context is created with an insecure protocol version, i.e. when one of the following constants is detected in the code:`
			`* <code>OpenSSL.SSL.SSLv3_METHOD</code> (Use instead <code>OpenSSL.SSL.TLSv1_2_METHOD</code>)`
			`* <code>ssl.PROTOCOL_SSLv3</code> (Use instead <code>ssl.PROTOCOL_TLSv1_2</code>)`

			`Protocol versions different from TLSv1.2 and TLSv1.3 are considered insecure.`

			`== Noncompliant Code Example`

			`----`
			`from OpenSSL import SSL`

			`SSL.Context(SSL.SSLv3_METHOD) # Noncompliant`
			`----`

			`----`
			`import ssl`

			`ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant`
			`----`

			`== Compliant Solution`

			`----`
			`from OpenSSL import SSL`

			`SSL.Context(SSL.TLSv1_2_METHOD) # Compliant`
			`----`

			`----`
			`import ssl`

			`ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant`
			`----`

			`include::../see.adoc[]`