Name		Name	Last commit message	Last commit date
parent directory ..
examples		examples
BrokenCryptoAlgorithm.qhelp		BrokenCryptoAlgorithm.qhelp
BrokenCryptoAlgorithm.ql		BrokenCryptoAlgorithm.ql
FluentApiModel.qll		FluentApiModel.qll
InsecureDefaultProtocol.qhelp		InsecureDefaultProtocol.qhelp
InsecureDefaultProtocol.ql		InsecureDefaultProtocol.ql
InsecureProtocol.qhelp		InsecureProtocol.qhelp
InsecureProtocol.ql		InsecureProtocol.ql
PyOpenSSL.qll		PyOpenSSL.qll
README.md		README.md
Ssl.qll		Ssl.qll
TlsLibraryModel.qll		TlsLibraryModel.qll
WeakSensitiveDataHashing.qhelp		WeakSensitiveDataHashing.qhelp
WeakSensitiveDataHashing.ql		WeakSensitiveDataHashing.ql

README.md

Current status (Feb 2021)

This should be kept up to date; the world is moving fast and protocols are being broken.

ssl.wrap_socket is creating insecure connections, use SSLContext.wrap_socket instead. link

Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the SSLContext.wrap_socket() instead of wrap_socket(). The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.
Default constructors are fine, a fluent API is used to constrain possible protocols later.

TLS 1.2 or TLS 1.3

InsecureProtocol detects uses of insecure protocols.
InsecureDefaultProtocol detect default constructions, this is no longer unsafe.