generic.nginx.security.insecure-ssl-version.insecure-ssl-version

Community Favorite
profile photo of semgrepsemgrep
Author
81,049
Download Count*

Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-ssl-version
    patterns:
      - pattern-not: ssl_protocols TLSv1.2 TLSv1.3;
      - pattern-not: ssl_protocols TLSv1.3 TLSv1.2;
      - pattern-not: ssl_protocols TLSv1.2;
      - pattern-not: ssl_protocols TLSv1.3;
      - pattern: ssl_protocols ...;
    paths:
      include:
        - "*.conf"
        - "*.vhost"
        - sites-available/*
        - sites-enabled/*
    languages:
      - generic
    severity: WARNING
    message: Detected use of an insecure SSL version. Secure SSL versions are
      TLSv1.2 and TLS1.3; older versions are known to be broken and are
      susceptible to attacks. Prefer use of TLSv1.2 or later.
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      references:
        - https://www.acunetix.com/blog/web-security-zone/hardening-nginx/
        - https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
      category: security
      technology:
        - nginx
      confidence: HIGH
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

insecure-ssl-version.conf

server {
  listen              443 ssl;
  server_name         www.example.com;
  keepalive_timeout   70;

  ssl_certificate     www.example.com.crt;
  ssl_certificate_key www.example.com.key;
  # ruleid: insecure-ssl-version
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  location /i/ {
    alias /data/w3/images/;
  }
}

server {
  listen              443 ssl;
  server_name         www.example.com;
  keepalive_timeout   70;

  ssl_certificate     www.example.com.crt;
  ssl_certificate_key www.example.com.key;
  # ok: insecure-ssl-version
  ssl_protocols       TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  location /i/ {
    alias /data/w3/images/;
  }
}