Rule Information
Tags
pythonssltlsweak-protocoldeprecated-tlsCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-051 --project .1
2
3
4
5
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are deprecated protocol versions with known cryptographic vulnerabilities that enable various attacks on TLS connections. These protocols should not be enabled in any production system.
SSLv2 (DROWN attack), SSLv3 (POODLE attack), TLS 1.0/1.1 (BEAST, POODLE-TLS, SLOTH, SWEET32) all have published attacks. NIST deprecated TLS 1.0 and 1.1 in 2018, and PCI DSS required migration away from these versions by 2018.
Python's ssl module provides PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER constants that negotiate the highest mutually supported version (at least TLS 1.2 when properly configured). SSLContext should be created with these constants, not with specific deprecated version constants.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
POODLE Attack (SSLv3/TLS 1.0)
The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack exploits CBC padding oracle weaknesses in SSLv3 and some TLS 1.0 implementations. An attacker performing a MITM can decrypt individual bytes of the ciphertext by making repeated requests and observing padding validation errors.
2
BEAST Attack (TLS 1.0)
BEAST (Browser Exploit Against SSL/TLS) exploits a chosen-plaintext vulnerability in TLS 1.0's CBC mode implementation. Attackers with network access can recover plaintext from TLS 1.0 connections using this attack.
3
DROWN Attack (SSLv2)
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows attackers who can make connections to a server supporting SSLv2 to decrypt TLS connections to that server even from clients that don't use SSLv2, due to shared keys.
4
Protocol Downgrade via Version Negotiation
Enabling old protocol versions allows downgrade attacks where an attacker forces both client and server to negotiate an older, weaker protocol version even though both support TLS 1.3, enabling the older protocol's vulnerabilities.
How to Fix
Recommended remediation steps
- 1Replace all deprecated protocol constants (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_TLSv1, PROTOCOL_TLSv1_1) with PROTOCOL_TLS_CLIENT or PROTOCOL_TLS_SERVER.
- 2Set ctx.minimum_version = ssl.TLSVersion.TLSv1_2 or TLSv1_3 explicitly to prevent negotiation of older versions.
- 3Use ssl.create_default_context() for client connections, which configures secure defaults including minimum TLS version.
- 4Disable weak cipher suites by setting ctx.set_ciphers() with a strong cipher string excluding RC4, DES, 3DES, and export ciphers.
- 5Test TLS configuration with tools that verify protocol version support and cipher suite strength.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects ssl.SSLContext() constructor calls where the protocol argument is ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, or ssl.PROTOCOL_TLSv1_1. These are deprecated protocol constants whose use enables insecure protocol versions.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
PCI DSS v4.0
Requirement 4.2.1 - TLS 1.2+ required; TLS 1.0 and 1.1 prohibited
NIST SP 800-52 Revision 2
TLS 1.2 minimum required; TLS 1.3 recommended
OWASP Top 10
A02:2021 - Cryptographic Failures
FIPS 140-3
Only TLS 1.2 and TLS 1.3 are approved for FIPS 140-3 compliant systems
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Unverified SSL Context Created
ssl._create_unverified_context() disables certificate verification entirely, making TLS connections vulnerable to man-in-the-middle attacks.
MEDIUM
Deprecated ssl.wrap_socket() Usage
ssl.wrap_socket() is deprecated since Python 3.7 and should be replaced with SSLContext.wrap_socket() for proper TLS configuration.
HIGH
Certificate Validation Disabled (verify=False)
TLS certificate validation is explicitly disabled via verify=False or CERT_NONE, making connections vulnerable to man-in-the-middle attacks.
Frequently Asked Questions
Common questions about Weak SSL/TLS Protocol Version
ssl.PROTOCOL_SSLv2 was removed in Python 3.7 and ssl.PROTOCOL_SSLv3 in Python 3.10
as these protocols are completely insecure. Using these constants will raise an error.
ssl.PROTOCOL_TLSv1 and ssl.PROTOCOL_TLSv1_1 were deprecated in Python 3.10 and
removed in Python 3.12. Code using these constants needs to be updated to
PROTOCOL_TLS_CLIENT or PROTOCOL_TLS_SERVER.
TLS 1.2 is the current minimum for compliance with PCI DSS and NIST guidance. TLS 1.3
is strongly recommended for new systems as it has a simpler, more secure handshake,
removes all cipher suites with known weaknesses, and provides forward secrecy by
default. Configure minimum_version = ssl.TLSVersion.TLSv1_2 at minimum.
ssl.PROTOCOL_TLS is deprecated as of Python 3.10. ssl.PROTOCOL_TLS_CLIENT is the
recommended replacement for client contexts and automatically enables certificate
verification (check_hostname=True, verify_mode=CERT_REQUIRED). ssl.PROTOCOL_TLS_SERVER
is for server contexts. Always use the CLIENT/SERVER variants.
Set ctx.minimum_version = ssl.TLSVersion.TLSv1_3 and ctx.maximum_version = ssl.TLSVersion.TLSv1_3
on the SSL context. Note that this may prevent connections with older clients or servers
that don't support TLS 1.3. For compatibility, use TLSv1_2 as minimum and allow TLS 1.3
negotiation.
This rule specifically checks for deprecated protocol version constants. Weak cipher
suite configuration (RC4, DES, export ciphers, NULL ciphers) is a related concern
that requires additional review of the cipher string passed to ctx.set_ciphers().
With TLS 1.2+ enforced on the client, the TLS handshake will fail with a protocol
version error. The correct response is to update the server to support TLS 1.2 or
higher, not to lower the client's minimum version. If the legacy server cannot be
updated, document the risk, isolate the connection, and plan migration.
New feature
Get these findings posted directly on your GitHub pull requests
The Weak SSL/TLS Protocol Version rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.