Recipe Name:
TLS: Weak Encryption: Insecure Version
Description:
Could lead to Data Exposure
Level:
error
Language:
  • java
Tags:
  • security
  • web
  • TLS
  • OWASP Top 10
Documentation

Secure coding practices prescribe that implementations must support Transport Layer Security (TLS) version 1.2.

When using Transport Layer Security, it is required to support TLS protocol version 1.2. Implementations must not negotiate TLS version 1.1 except when no higher version is available. Protocols SSLv2, SSLv3 and TLSv1.0 are prohibited because they are no longer deemed secure. Using older versions of TLS/SSL puts the data being transferred at risk for interception and offline decryption attempts.

To enforce the use of specific protocols, the JVM can be instructed to do so using the following command-line parameter:

-Dhttps.protocols="TLSv1.2,TLSv1.1"

Note that only TLSv1.2 is recommended, TLSv1.1 is listed above to provide an example of the list syntax. In the source code itself, the javax.net.ssl.SSLContext#getInstance method can be used to select the correct protocol.

References
Recipe 
id: scw:web:tls-insecure
version: 10
metadata:
  name: 'TLS: Weak Encryption: Insecure Version'
  shortDescription: Could lead to Data Exposure
  level: error
  language: java
  newCodeOnly: false
  scwCategory: itlp:weakalgorithm
  enabled: true
  descriptionFile: descriptions/TLS_version.html
  tags: security;web;TLS;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified:
            matches: (SSL.*|TLSv1)
    name: getInstance
    declaration:
      type: javax.net.ssl.SSLContext
availableFixes:
- name: Set protocol version to TLSv1.2
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}("TLSv1.2")'