47 lines
1.0 KiB
Plaintext
47 lines
1.0 KiB
Plaintext
Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
|
|
|
|
This rule raises an issue when an SSL/TLS context is created with an insecure protocol version, i.e. when one of the following constants is detected in the code:
|
|
|
|
* ``++OpenSSL.SSL.SSLv3_METHOD++`` (Use instead ``++OpenSSL.SSL.TLSv1_2_METHOD++``)
|
|
* ``++ssl.PROTOCOL_SSLv3++`` (Use instead ``++ssl.PROTOCOL_TLSv1_2++``)
|
|
|
|
Protocol versions different from TLSv1.2 and TLSv1.3 are considered insecure.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
from OpenSSL import SSL
|
|
|
|
SSL.Context(SSL.SSLv3_METHOD) # Noncompliant
|
|
----
|
|
|
|
----
|
|
import ssl
|
|
|
|
ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
from OpenSSL import SSL
|
|
|
|
SSL.Context(SSL.TLSv1_2_METHOD) # Compliant
|
|
----
|
|
|
|
----
|
|
import ssl
|
|
|
|
ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|