diff --git a/rules/S4423/python/message.adoc b/rules/S4423/python/message.adoc new file mode 100644 index 0000000000..59ff2dd698 --- /dev/null +++ b/rules/S4423/python/message.adoc @@ -0,0 +1,14 @@ +=== Message + +==== OpenSSL and ssl modules + +Change this code to use a stronger protocol. + +==== AWS APIGateway + +Change this code to enforce TLS 1.2 or above. + +==== AWS OpenSearch / Elasticsearch + +Omitting "tls_security_policy" enables a deprecated version of TLS. Set it to enforce TLS 1.2 or above. +Change this code to enforce TLS 1.2 or above. diff --git a/rules/S4423/python/rule.adoc b/rules/S4423/python/rule.adoc index 8583bdc0f2..5173db6934 100644 --- a/rules/S4423/python/rule.adoc +++ b/rules/S4423/python/rule.adoc @@ -1,11 +1,4 @@ -Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure. - -This rule raises an issue when an SSL/TLS context is created with an insecure protocol version, i.e. when one of the following constants is detected in the code: - -* ``++OpenSSL.SSL.SSLv3_METHOD++`` (Use instead ``++OpenSSL.SSL.TLSv1_2_METHOD++``) -* ``++ssl.PROTOCOL_SSLv3++`` (Use instead ``++ssl.PROTOCOL_TLSv1_2++``) - -Protocol versions different from TLSv1.2 and TLSv1.3 are considered insecure. +include::../description.adoc[] == Noncompliant Code Example @@ -23,23 +16,79 @@ import ssl ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant ---- +For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]: +[source,python] +---- +from aws_cdk.aws_apigateway import DomainName, SecurityPolicy +class ExampleStack(Stack): + def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: + super().__init__(scope, construct_id, **kwargs) + DomainName(self, "example", + domain_name="example.com", + certificate=certificate, + security_policy=SecurityPolicy.TLS_1_0 # Noncompliant + ) +---- + +For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]: +[source,python] +---- +from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion +class ExampleStack(Stack): + def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: + super().__init__(scope, construct_id, **kwargs) + CfnDomain(self, "example", + version=EngineVersion.OPENSEARCH_1_3 + ) # Noncompliant: enables TLS 1.0 which is a deprecated version of the protocol +---- + == Compliant Solution [source,python] ---- from OpenSSL import SSL -SSL.Context(SSL.TLSv1_2_METHOD) # Compliant +SSL.Context(SSL.TLSv1_2_METHOD) ---- [source,python] ---- import ssl -ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant +ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) +---- + +For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]: +[source,python] +---- +from aws_cdk.aws_apigateway import DomainName, SecurityPolicy +class ExampleStack(Stack): + def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: + super().__init__(scope, construct_id, **kwargs) + DomainName(self, "example", + domain_name="example.com", + certificate=certificate, + security_policy=SecurityPolicy.TLS_1_2 + ) +---- + +For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]: +[source,python] +---- +from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion +class ExampleStack(Stack): + def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: + super().__init__(scope, construct_id, **kwargs) + CfnDomain(self, "example", + version=EngineVersion.OPENSEARCH_1_3 + domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty( + tls_security_policy="Policy-Min-TLS-1-2-2019-07" # Compliant + ) + ) ---- include::../see.adoc[] +* https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version ifdef::env-github,rspecator-view[] @@ -47,7 +96,7 @@ ifdef::env-github,rspecator-view[] == Implementation Specification (visible only on this page) -include::../message.adoc[] +include::message.adoc[] include::../highlighting.adoc[]