python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers
semgrep
Author
7,311
Download Count*
License
The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.
Run Locally
Run in CI
Defintion
rules:
- id: no-set-ciphers
pattern: $CONTEXT.set_ciphers(...)
message: The 'ssl' module disables insecure cipher suites by default. Therefore,
use of 'set_ciphers()' should only be used when you have very specialized
requirements. Otherwise, you risk lowering the security of the SSL
channel.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
asvs:
section: V9 Communications Verification Requirements
control_id: 9.1.3 Weak TLS
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements
version: "4"
references:
- https://docs.python.org/3/library/ssl.html#cipher-selection
- https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers
category: security
technology:
- ssl
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
severity: WARNING
Examples
no-set-ciphers.py
import ssl
context = ssl.create_default_context()
# cf. https://stackoverflow.com/questions/49774366/how-to-set-ciphers-in-ssl-python-socket
cipher = 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256'
# ruleid: no-set-ciphers
context.set_ciphers(cipher)
# ok: no-set-ciphers
print(context.get_ciphers())
Short Link: https://sg.run/0Q0v