Upgrade TLS Version In SSLContext
pixee:python/upgrade-sslcontext-tls​
Importance | Review Guidance | Requires Scanning Tool |
---|---|---|
High | Merge After Cursory Review | No |
This codemod replaces the use of all unsafe and/or deprecated SSL/TLS versions
in the ssl.SSLContext
constructor. It uses PROTOCOL_TLS_CLIENT
instead,
which ensures a safe default TLS version. It also sets the protocol
parameter
to PROTOCOL_TLS_CLIENT
in calls without it, which is now deprecated.
Our change involves modifying the argument to ssl.SSLContext()
to
use PROTOCOL_TLS_CLIENT
.
import ssl
- context = ssl.SSLContext()
+ context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)
- context = ssl.SSLContext(protocol=PROTOCOL_SSLv3)
+ context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)
There is no functional difference between the unsafe and safe versions, and all modern servers offer TLSv1.2.
The use of explicit TLS versions (even safe ones) is deprecated by the ssl
module, so it is necessary to choose either PROTOCOL_TLS_CLIENT
or
PROTOCOL_TLS_SERVER
. Using PROTOCOL_TLS_CLIENT
is expected to be the
correct choice for most applications but in some cases it will be necessary to
use PROTOCOL_TLS_SERVER
instead.
If you have feedback on this codemod, please let us know!
F.A.Q.​
Why is this codemod marked as Merge After Cursory Review?​
This codemod updates the minimum supported version of TLS. Since this is an important security fix and since all modern servers offer TLSv1.2, we believe this change can be safely merged without review.
Codemod Settings​
N/A