Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for python upgrade-sslcontext-tls #64

Merged
merged 1 commit into from
Sep 5, 2023
Merged

Add documentation for python upgrade-sslcontext-tls #64

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions docs/codemods/python/pixee_python_upgrade-sslcontext-tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
title: Upgrade TLS Version In SSLContext
sidebar_position: 1
---

## pixee:python/upgrade-sslcontext-tls

| Importance | Review Guidance | Requires SARIF Tool |
|------------|----------------------|---------------------|
| High | Merge After Cursory Review | No |

This codemod replaces the use of all unsafe and/or deprecated SSL/TLS versions
in the `ssl.SSLContext` constructor. It uses `PROTOCOL_TLS_CLIENT` instead,
which ensures a safe default TLS version.

Our change involves modifying the argument to `ssl.SSLContext()` to
use `PROTOCOL_TLS_CLIENT`.

```diff
import ssl
- context = ssl.SSLContext(protocol=PROTOCOL_SSLv3)
+ context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)
```

There is no functional difference between the unsafe and safe versions, and all modern servers offer TLSv1.2.

The use of explicit TLS versions (even safe ones) is deprecated by the `ssl`
module, so it is necessary to choose either `PROTOCOL_TLS_CLIENT` or
`PROTOCOL_TLS_SERVER`. Using `PROTOCOL_TLS_CLIENT` is expected to be the
correct choice for most applications but in some cases it will be necessary to
use `PROTOCOL_TLS_SERVER` instead.

If you have feedback on this codemod, [please let us know](mailto:[email protected])!

## F.A.Q.

### Why is this codemod marked as Merge After Cursory Review?

This codemod replaces any unsafe or deprecated SSL/TLS versions with
`PROTOCOL_TLS_CLIENT`. For client applications this will be the correct choice.
However in some cases the correct choice may actually be `PROTOCOL_TLS_SERVER`.

## References

* [https://docs.python.org/3/library/ssl.html#security-considerations](https://docs.python.org/3/library/ssl.html#security-considerations)
* [https://datatracker.ietf.org/doc/rfc8996/](https://datatracker.ietf.org/doc/rfc8996/)
* [https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1](https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1)
Loading