ssl — no timeout
Synchronous Access of ssl without Timeout
The ssl.get_server_certificate() function is used to retrieve the
certificate from an SSL-enabled server. By default, this function does not
enforce a timeout on the network connection, which means that an application
could block indefinitely if the server is unresponsive or experiences a
network issue. This can result in resource exhaustion, Denial of Service
(DoS), or unresponsive behavior in the application, especially in production
environments.
This rule ensures that a timeout parameter is provided when calling
ssl.get_server_certificate() to prevent the risk of indefinite blocking
during the SSL certificate retrieval process.
If no timeout is specified in ssl.get_server_certificate(), the application
may block indefinitely while waiting for a response from the server. This can
lead to resource exhaustion, slow performance, or unresponsive behavior in the
application.
Example
| get_server_certificate_no_timeout.py | |
|---|---|
Example Output
> precli tests/unit/rules/python/stdlib/ssl/examples/get_server_certificate_no_timeout.py
⚠️ Warning on line 9 in tests/unit/rules/python/stdlib/ssl/examples/get_server_certificate_no_timeout.py
PY046: Synchronous Access of Remote Resource without Timeout
The function 'ssl.get_server_certificate' is used without a timeout, which may cause the application to block indefinitely if the remote server does not respond.
Remediation
- Python 3.10 and Later: Always provide a timeout parameter when using
ssl.get_server_certificate(). - Python Versions Before 3.10: Use
socket.setdefaulttimeout()to globally enforce a timeout for all socket connections, including those made byssl.get_server_certificate().
| get_server_certificate_no_timeout.py | |
|---|---|
Default Configuration
See also
Info
New in version 0.6.7