Insecure TLS Configuration

October 1, 2023

1 min read

# Insecure TLS Configuration

Encryption powers the modern internet, allowing transmission of secrets across a network in such a way they cannot be inspected or tampered with by a third party. Your code should be configured to communicate over the internet using encrypted protocols. Any HTTPS communication should use a modern version of *Transport Layer Security* (TLS) and a secure cipher suite.

## TLS Connections in Python

Any TLS connections you make in Python code must use a modern version of the TLS protocol. This means deprecating older TLS versions on your web-server, and specifying one of the following versions of TLS when creating an outgoing TLS connection:

* TLS v1.2
* TLS v1.3
* DTLS v1.2
* DTLS v1.3

Here’s how to perform a simple HTTP request in the `urllib3` library, specifying the version of TLS:

“`python
http = urllib3.PoolManager(
ssl_minimum_version = ssl.TLSVersion.TLSv1
)response = http.request(“GET”, “https://tls-v1-0.badssl.com:1010”)
“`

`urllib3` by default expects the server to support TLS 1.2, so specifying a weaker version of the protocol (as shown above) should be avoided.

## CWEs

* [CWE-326](https://cwe.mitre.org/data/definitions/326.html)
* [CWE-327](https://cwe.mitre.org/data/definitions/327.html)

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Insecure TLS Configuration