Python: Update old test and qlhelp

yoff · yoff · commit ea8c6f04e2ba · 2021-03-03T17:50:46.000+01:00
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
@@ -13,8 +13,8 @@
 
           <p>
             Ensure that a modern, strong protocol is used. All versions of SSL,
-            and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or
-            above is strongly recommended.
+            and TLS versions 1.0 and 1.1 are known to be vulnerable to attacks.
+            Using TLS 1.2 or above is strongly recommended.
           </p>
 
      </recommendation>
@@ -30,7 +30,7 @@
 
           <p>
             All cases should be updated to use a secure protocol, such as
-            <code>PROTOCOL_TLSv1_1</code>.
+            <code>PROTOCOL_TLSv1_2</code>.
           </p>
           <p>
             Note that <code>ssl.wrap_socket</code> has been deprecated in
diff --git a/python/ql/src/Security/CWE-327/ReadMe.md b/python/ql/src/Security/CWE-327/ReadMe.md
@@ -0,0 +1,24 @@
+# Current status (Feb 2021)
+
+This should be kept up to date; the world is moving fast and protocols are being broken.
+
+## Protocols
+
+- All versions of SSL are insecure
+- TLS 1.0 and TLS 1.1 are insecure
+- TLS 1.2 have some issues. but TLS 1.3 is not widely supported
+
+## Conection methods
+
+- `ssl.wrap_socket` is creating insecure connections, use `SSLContext.wrap_socket` instead. [link](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)
+    > Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the `SSLContext.wrap_socket()` instead of `wrap_socket()`. The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.
+- Default consteructors are fine, a sluent api is used to constrain possible protocols later.
+
+## Current recomendation
+
+TLS 1.2 or TLS 1.3
+
+## Queries
+
+- `InsecureProtocol` detects uses of insecure protocols.
+- `InsecureDefaultProtocol` detect default constructions, this is no longer unsafe.
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -1,5 +1,5 @@
 import ssl
-from pyOpenSSL import SSL
+from OpenSSL import SSL
 from ssl import SSLContext
 
 # true positives
@@ -33,9 +33,9 @@
 
 # secure versions
 
-ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_1)
-SSLContext(protocol=ssl.PROTOCOL_TLSv1_1)
-SSL.Context(SSL.TLSv1_1_METHOD)
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
+SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
+SSL.Context(SSL.TLSv1_2_METHOD)
 
 # possibly insecure default
 ssl.wrap_socket()
