SSL 100¶
Using defaults in SSL module can lead to insecure protocol usage.
Python 3.6 applies PROTOCOL_TLS
as the default value, so if no value is specified and your Python version is detected to be 3.6+ this issue won’t be shown.
Fixes¶
- Use
ssl.create_default_context()
instead of trying to do this yourself - Do not use version specifiers, use
PROTOCOL_TLS
with options disallowing the bad protocols
See Also¶
- http://heartbleed.com/
- http://poodlebleed.com/
- https://www.openssl.org/~bodo/ssl-poodle.pdf
- https://docs.python.org/3/library/ssl.html#ssl-security