Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4423

Weak SSL/TLS protocols should not be used

    Details

    • Message:
      Change this code to use a stronger protocol.
    • Highlighting:
      Hide

      SSLContext.getInstance invocation

      Show
      SSLContext.getInstance invocation
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java, PHP
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, HTML, JavaScript, Objective-C, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-327, CWE-326
    • OWASP:
      A3, A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      SSL_CONTEXT

      Description

      Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
      This rule raises an issue when an SSL/TLS context is created with an insecure protocol version (ie: a protocol different from "TLSv1.2", TLSv1.3", "DTLSv1.2" or "DTLSv1.3").

      See

        Attachments

          Issue Links

          1.
          PHP RSPEC-4715 Language-Specification Active Unassigned
          2.
          Java RSPEC-4716 Language-Specification Active Unassigned
          3.
          Python RSPEC-5437 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: