Skip to content

ssl-with-bad-defaults (S503)#

Derived from the flake8-bandit linter.

What it does#

Checks for function definitions with default arguments set to insecure SSL and TLS protocol versions.

Why is this bad?#

Several highly publicized exploitable flaws have been discovered in all versions of SSL and early versions of TLS. The following versions are considered insecure, and should be avoided:

  • SSL v2
  • SSL v3
  • TLS v1
  • TLS v1.1


import ssl

def func(version=ssl.PROTOCOL_TLSv1):

Use instead:

import ssl

def func(version=ssl.PROTOCOL_TLSv1_2):