Rule Information
Tags
pythonsslwrap-socketdeprecated-apitls-configurationCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-052 --project .1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
ssl.wrap_socket() is a deprecated convenience function that wraps a plain socket with TLS. It was deprecated in Python 3.7 because it has limited configurability, poor defaults, and does not provide the same level of TLS security control as the SSLContext API.
The function has several security concerns: it defaults to ssl.PROTOCOL_TLS which may allow older protocol versions, it does not enforce certificate verification by default (unlike SSLContext(PROTOCOL_TLS_CLIENT)), and it provides limited control over cipher suites, protocol versions, and other TLS parameters.
The replacement is to create an ssl.SSLContext() with the appropriate protocol constant, configure it with minimum protocol version, cipher suites, and certificate requirements, then call context.wrap_socket() on the socket.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Weak Default Configuration
ssl.wrap_socket() may not enforce certificate verification or hostname checking by default, depending on the Python version and how it is called. This can silently create insecure TLS connections that appear to be secured.
2
No Minimum Protocol Version Enforcement
Without an explicit SSLContext, ssl.wrap_socket() relies on OpenSSL defaults, which may permit negotiation of TLS 1.0 or 1.1 in some configurations. An explicit context allows setting minimum_version = ssl.TLSVersion.TLSv1_2.
3
Limited Cipher Suite Control
The function parameters do not expose all cipher suite configuration options available in SSLContext. Weak cipher suites from OpenSSL defaults may be negotiated without explicit restriction.
4
Deprecated API with Reduced Security Maintenance
Deprecated APIs receive less security review and may not benefit from future TLS hardening improvements applied to the SSLContext API. Using SSLContext ensures access to all current and future TLS security controls.
How to Fix
Recommended remediation steps
- 1Replace ssl.wrap_socket() with ssl.create_default_context().wrap_socket() for client connections, which enforces certificate verification and hostname checking.
- 2For server sockets, create an explicit SSLContext(PROTOCOL_TLS_SERVER) with minimum_version set to TLSv1_2, then call context.wrap_socket().
- 3Set ctx.minimum_version = ssl.TLSVersion.TLSv1_2 explicitly on all SSLContext objects to prevent negotiation of older protocol versions.
- 4Configure cipher suites via ctx.set_ciphers() to exclude weak algorithms including RC4, DES, and export-grade ciphers.
- 5Use ctx.load_verify_locations() or ssl.create_default_context(cafile=...) for custom CA certificates.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to the top-level ssl.wrap_socket() function from the ssl module. This is distinct from SSLContext.wrap_socket() (which is the recommended replacement). All call sites are flagged since the top-level function is deprecated and has weaker default security properties.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
PCI DSS v4.0
Requirement 4.2.1 - Use strong cryptography for sensitive data transmission
OWASP Top 10
A02:2021 - Cryptographic Failures
NIST SP 800-52 Revision 2
Use of properly configured TLS with minimum version requirements
NIST SP 800-57
Adequate key lengths and algorithms for encryption strength
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Unverified SSL Context Created
ssl._create_unverified_context() disables certificate verification entirely, making TLS connections vulnerable to man-in-the-middle attacks.
HIGH
Weak SSL/TLS Protocol Version
SSLContext configured with SSLv2, SSLv3, TLSv1.0, or TLSv1.1 uses deprecated protocols with known vulnerabilities. Use TLS 1.2 or TLS 1.3.
HIGH
Certificate Validation Disabled (verify=False)
TLS certificate validation is explicitly disabled via verify=False or CERT_NONE, making connections vulnerable to man-in-the-middle attacks.
Frequently Asked Questions
Common questions about Deprecated ssl.wrap_socket() Usage
ssl.wrap_socket() was deprecated in Python 3.7 (2018). It was marked for removal
but has not yet been removed as of Python 3.12. Code relying on it will eventually
break and should be migrated to SSLContext.wrap_socket() now to avoid future
compatibility issues.
For client code: replace ssl.wrap_socket(sock, server_hostname=host) with
ssl.create_default_context().wrap_socket(sock, server_hostname=host). This is
a one-line change that also improves security by enforcing certificate verification.
For server code: create an explicit SSLContext and call wrap_socket() on it.
Yes. ssl.create_default_context() creates a context with check_hostname=True and
verify_mode=ssl.CERT_REQUIRED by default. The subsequent wrap_socket() call uses
these settings. This is more secure than ssl.wrap_socket() which does not enforce
these by default.
Both. The immediate concern is API modernization since ssl.wrap_socket() is deprecated
and may be removed. The security concern is that ssl.wrap_socket() has weaker defaults
than SSLContext.wrap_socket() and provides less control over TLS configuration.
Migrating to SSLContext improves both correctness and security.
Some older versions of HTTP and network libraries use ssl.wrap_socket(). If a
third-party library triggers this rule, check whether the library has been updated
and consider upgrading to a version that uses SSLContext. Report the issue to the
library maintainer if it has not been fixed.
Create the SSLContext, then call ctx.load_cert_chain(certfile=cert, keyfile=key)
before wrapping the socket. For servers requiring client certificates, also set
ctx.verify_mode = ssl.CERT_REQUIRED and ctx.load_verify_locations(cafile=client_ca).
This bidirectional certificate verification is not easily configurable with the
deprecated ssl.wrap_socket() API.
New feature
Get these findings posted directly on your GitHub pull requests
The Deprecated ssl.wrap_socket() Usage rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.