- java
- security
- web
- TLS
- OWASP Top 10
Secure coding practices prescribe that implementations must support Transport Layer Security (TLS) version 1.2.
When using Transport Layer Security, it is required to support TLS protocol version 1.2. Implementations must not negotiate TLS version 1.1 except when no higher version is available. Protocols SSLv2, SSLv3 and TLSv1.0 are prohibited because they are no longer deemed secure. Using older versions of TLS/SSL puts the data being transferred at risk for interception and offline decryption attempts.
To enforce the use of specific protocols, the JVM can be instructed to do so using the following command-line parameter:
-Dhttps.protocols="TLSv1.2,TLSv1.1"
Note that only TLSv1.2 is recommended, TLSv1.1 is listed above to provide an example of the list syntax. In the source code itself, the javax.net.ssl.SSLContext#getInstance
method can be used to select the correct protocol.
id: scw:web:tls-outdated version: 10 metadata: name: 'TLS: Weak Encryption: Outdated Version' shortDescription: Could lead to Data Exposure level: warning language: java newCodeOnly: false scwCategory: itlp:weakalgorithm enabled: true descriptionFile: descriptions/TLS_version.html tags: security;web;TLS;OWASP Top 10 search: methodcall: args: 1: type: java.lang.String value: stringified: matches: TLSv1.1 name: getInstance declaration: type: javax.net.ssl.SSLContext availableFixes: - name: Set protocol version to TLSv1.2 actions: - rewrite: to: '{{{ expressionElement }}}("TLSv1.2")'