Usage of deprecated TLS version

• Rule ID: python_lang_weak_tls_version
• Languages: python
• Source: weak_tls_version.yml

Description

TLS (Transport Layer Security) versions 1.0 and 1.1 have known vulnerabilities and using them introduces security risks to your application. These outdated TLS versions can lead to the interception and compromise of sensitive data during transmission.

Remediations

• Do enforce the use of TLS 1.3 when configuring SSL. TLS 1.3 offers significant security improvements, helping to protect data from known vulnerabilities present in older versions.

  context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
  context.minimum_version = ssl.TLSVersion.TLSv1_3

• Do utilize configurations that support Perfect Forward Secrecy (PFS) with TLS 1.3. PFS enhances security by ensuring that past communications remain secure even if future session keys are compromised.
• Do not configure your server to accept TLS versions 1.0 or 1.1. Removing these options from your TLS configuration is crucial to prevent downgrade attacks.

References

• IETF's Deprecation of TLS 1.0 and 1.1
• OWASP TLS Cheat Sheet
• Python ssl module documentation

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_weak_tls_version

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_weak_tls_version