Codiga has joined Datadog!

Read the Blog·

Interested in our Static Analysis?

Sign up
← All posts
Julien Delange Monday, October 17, 2022

SSL module in Python: stay secure!



Julien Delange, Founder and CEO

Julien is the CEO of Codiga. Before starting Codiga, Julien was a software engineer at Twitter and Amazon Web Services.

Julien has a PhD in computer science from Universite Pierre et Marie Curie in Paris, France.

See all articles

What is the ssl Python module?

The Python ssl module provides functions and classes to use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure communication both server and client side.

The SSL module is a standard Python module and is widely used across the Python ecosystem, especially for distributed systems with programs that need to communicate securely.

SSL security

What is SSL? Is it secure?

Secure Sockets Layer (SSL) is a protocol now deprecated (since 2011 for SSLv2 and 2015 for SSLv3). Since then, the TLS protocol has taken over (first with TLS 1.0 and now with TLS1.3).

When using secure communication, developers should use at least TLS 1.1. And for this reason, developers must avoid any prior protocols (SSLv2, SSLv3, TLS1.0).

The Wikipedia Transport Security Layer has an accurate history of SSL and TLS versions.

Why the ssl Python module may be unsafe?

For backward-compatibility reasons, the ssl Python module still supports old and deprecated protocols. But these protocols should not be used by developers. They should instead use the TLS protocol that is replacing SSL.

MITRE published a CWE about this special issue (Use of a Broken or Risky Cryptographic Algorithm), warning developers not to use an outdated security protocol.

How to safely and securely use the subprocess Python module?

When using the ssl module directly, avoid deprecated protocols. When using socket functions (such as with wrap_socket) make sure the protocol passed as a parameter is not outdated.

There is, for example of a new socket using the outdated SSLv3 protocol.

remote = ssl.wrap_socket(s, ca_certs= CA, cert_reqs=ssl.CERT_REQUIRED, ssl_version = ssl.PROTOCOL_SSLv3)

Instead, developers should use the TLS protocol, as shown below.

remote = ssl.wrap_socket(s, ca_certs= CA, cert_reqs=ssl.CERT_REQUIRED, ssl_version = ssl.PROTOCOL_TLS)

Automatically detect unsafe use of the ssl module

Codiga provides IDE plugins and integrations with GitHub, GitLab, or Bitbucket to detect unsafe usage of the Python ssl module. The Codiga static code analysis not only detects unsafe code but also suggests fixes to correct it. There is a dedicated rule to detect unsafe usage of the ssl module.

Rule to detect unsafe SSL protocols

To use this rule consistently, all you need to do is to install the integration in your IDE (for VS Code or JetBrains) or code management system and add a codiga.yml file at the root of your profile with the following content:

  - python-security

It will then check all your Python code against 100+ rules that detect unsafe and insecure code and suggests fixes for each of them.

More resources

Are you interested in Datadog Static Analysis?

Sign up