python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated
Community Favorite
semgrepAuthor
48,169
Download Count*
License
'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket.
Run Locally
Run in CI
Defintion
rules:
- id: ssl-wrap-socket-is-deprecated
pattern: ssl.wrap_socket(...)
message: "'ssl.wrap_socket()' is deprecated. This function creates an insecure
socket without server name indication or hostname matching. Instead,
create an SSL context using 'ssl.SSLContext()' and use that to wrap a
socket."
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
references:
- https://docs.python.org/3/library/ssl.html#ssl.wrap_socket
- https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket
category: security
technology:
- python
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
severity: WARNING
Examples
ssl-wrap-socket-is-deprecated.py
import socket
import ssl
sock = socket.socket(
socket.AF_INET,
socket.SOCK_STREAM | socket.SOCK_NONBLOCK)
# ruleid:ssl-wrap-socket-is-deprecated
ssock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1)
# ruleid:ssl-wrap-socket-is-deprecated
ssock2 = ssl.wrap_socket(sock)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
context.load_default_certs()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# ok:ssl-wrap-socket-is-deprecated
ssl_sock = context.wrap_socket(s, server_hostname='www.verisign.com')
ssl_sock.connect(('www.verisign.com', 443))
Short Link: https://sg.run/PJOY