SSL 100¶

Using defaults in SSL module can lead to insecure protocol usage.

Python 3.6 applies PROTOCOL_TLS as the default value, so if no value is specified and your Python version is detected to be 3.6+ this issue won’t be shown.

Fixes¶

Use ssl.create_default_context() instead of trying to do this yourself
Do not use version specifiers, use PROTOCOL_TLS with options disallowing the bad protocols

See Also¶

http://heartbleed.com/
http://poodlebleed.com/
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://docs.python.org/3/library/ssl.html#ssl-security

Fork me on GitHub