ssl — unverified context

Improper Certificate Validation Using ssl._create_unverified_context

The Python function ssl._create_unverified_context() creates a SSL context that does not verify the server's certificate. This means that an attacker can easily impersonate a legitimate server and fool your application into connecting to it.

If you use ssl._create_unverified_context, you are opening your application up to a number of security risks, including:

• Machine-in-the-middle attacks
• Session hijacking
• Data theft

Example

import ssl


context = ssl._create_unverified_context()

Example Output

> precli tests/unit/rules/python/stdlib/ssl/examples/create_unverified_context.py
⚠️  Warning on line 4 in tests/unit/rules/python/stdlib/ssl/examples/create_unverified_context.py
PY017: Improper Certificate Validation
The 'ssl._create_unverified_context' function does not properly validate certificates.

Remediation

If you need to connect to a server over HTTPS, you should use the ssl.create_default_context() function instead. This function will verify the server's certificate, which will help to protect your application from these security risks.

import ssl


context = ssl.create_default_context()

Default Configuration

enabled = true
level = "warning"

See also

Info

• ssl — TLS/SSL wrapper for socket objects
• CWE-295: Improper Certificate Validation

New in version 0.1.0