From 09f0fa9ce70f2aa9c65d34f3e8e5b752567cc792 Mon Sep 17 00:00:00 2001
From: Ian Cordasco <ian.cordasco@rackspace.com>
Date: Thu, 12 Feb 2015 11:33:26 -0600
Subject: [PATCH] Remove the check for PROTOCOL_SSLv23

PROTOCOL_SSLv23 is a constant (admittedly poorly named) that will always
negotiate the highest protocol version that both the client and server
support. It will, for example, negotiate TLSv1.2 if both client and
server can use it. Calling it out as "insecure" is patently wrong.

Change-Id: Ie4f16bee35e7e8be2c6e55e28384d2c6c554d249
---
 bandit.yaml                      | 1 -
 examples/ssl-insecure-version.py | 5 -----
 tests/test_functional.py         | 2 +-
 3 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/bandit.yaml b/bandit.yaml
index 00c83975..8bd97ea6 100644
--- a/bandit.yaml
+++ b/bandit.yaml
@@ -90,7 +90,6 @@ hardcoded_password:
 ssl_with_bad_version:
     bad_protocol_versions:
         - 'PROTOCOL_SSLv2'
-        - 'PROTOCOL_SSLv23'
         - 'SSLv2_METHOD'
         - 'SSLv23_METHOD'
         - 'PROTOCOL_SSLv3'  # strict option
diff --git a/examples/ssl-insecure-version.py b/examples/ssl-insecure-version.py
index ba4815cb..bd6f6591 100644
--- a/examples/ssl-insecure-version.py
+++ b/examples/ssl-insecure-version.py
@@ -2,12 +2,10 @@ import ssl
 from pyOpenSSL import SSL
 
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
-ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv23)
 SSL.Context(method=SSL.SSLv2_METHOD)
 SSL.Context(method=SSL.SSLv23_METHOD)
 
 herp_derp(ssl_version=ssl.PROTOCOL_SSLv2)
-herp_derp(ssl_version=ssl.PROTOCOL_SSLv23)
 herp_derp(method=SSL.SSLv2_METHOD)
 herp_derp(method=SSL.SSLv23_METHOD)
 
@@ -27,9 +25,6 @@ ssl.wrap_socket()
 def open_ssl_socket(version=ssl.PROTOCOL_SSLv2):
     pass
 
-def open_ssl_socket(version=ssl.PROTOCOL_SSLv23):
-    pass
-
 def open_ssl_socket(version=SSL.SSLv2_METHOD):
     pass
 
diff --git a/tests/test_functional.py b/tests/test_functional.py
index 9f44c492..7af3944a 100644
--- a/tests/test_functional.py
+++ b/tests/test_functional.py
@@ -190,7 +190,7 @@ class FunctionalTests(unittest.TestCase):
     def test_ssl_insecure_version(self):
         path = os.path.join(os.getcwd(), 'examples', 'ssl-insecure-version.py')
         self.b_mgr.run_scope([path])
-        self.assertEqual(self.b_mgr.scores[0], 141)
+        self.assertEqual(self.b_mgr.scores[0], 121)
 
     def test_subprocess_call_linebreaks(self):
         path = os.path.join(os.getcwd(), 'examples',