|Requires Scanning Tool
|Merge Without Review
This codemod replaces all unsafe and/or deprecated SSL/TLS versions when used
to set the
ssl.SSLContext.minimum_version attribute. It uses
ssl.TLSVersion.TLSv1_2 instead, which ensures a safe default minimum TLS
Our change involves modifying the
minimum_version attribute of
ssl.SSLContext instances to use
context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)
- context.minimum_version = ssl.TLSVersion.SSLv3
+ context.minimum_version = ssl.TLSVersion.TLSv1_2
There is no functional difference between the unsafe and safe versions, and all modern servers offer TLSv1.2.
If you have feedback on this codemod, please let us know!
Why is this codemod marked as Merge Without Review?
This codemod updates the minimum supported version of TLS. Since this is an important security fix and since all modern servers offer TLSv1.2, we believe this change can be safely merged without review.