generic.nginx.security.insecure-ssl-version.insecure-ssl-version
Community Favorite
returntocorpAuthor
81,049
Download Count*
License
Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-ssl-version
patterns:
- pattern-not: ssl_protocols TLSv1.2 TLSv1.3;
- pattern-not: ssl_protocols TLSv1.3 TLSv1.2;
- pattern-not: ssl_protocols TLSv1.2;
- pattern-not: ssl_protocols TLSv1.3;
- pattern: ssl_protocols ...;
paths:
include:
- "*.conf"
- "*.vhost"
- sites-available/*
- sites-enabled/*
languages:
- generic
severity: WARNING
message: Detected use of an insecure SSL version. Secure SSL versions are
TLSv1.2 and TLS1.3; older versions are known to be broken and are
susceptible to attacks. Prefer use of TLSv1.2 or later.
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
references:
- https://www.acunetix.com/blog/web-security-zone/hardening-nginx/
- https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
category: security
technology:
- nginx
confidence: HIGH
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
insecure-ssl-version.conf
server {
listen 443 ssl;
server_name www.example.com;
keepalive_timeout 70;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
# ruleid: insecure-ssl-version
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /i/ {
alias /data/w3/images/;
}
}
server {
listen 443 ssl;
server_name www.example.com;
keepalive_timeout 70;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
# ok: insecure-ssl-version
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /i/ {
alias /data/w3/images/;
}
}
Short Link: https://sg.run/gLKy