generic.nginx.security.missing-ssl-version.missing-ssl-version

Community Favorite
profile photo of semgrepsemgrep
Author
81,049
Download Count*

This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-ssl-version
    patterns:
      - pattern: server { ... listen $PORT ssl; ... }
      - pattern-not-inside: server { ... ssl_protocols ... }
    paths:
      include:
        - "*.conf"
        - "*.vhost"
        - sites-available/*
        - sites-enabled/*
    languages:
      - generic
    severity: WARNING
    message: This server configuration is missing the 'ssl_protocols' directive. By
      default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and
      versions older than TLSv1.2 are known to be broken. Explicitly specify
      'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      references:
        - https://www.acunetix.com/blog/web-security-zone/hardening-nginx/
        - https://nginx.org/en/docs/http/configuring_https_servers.html
      category: security
      technology:
        - nginx
      confidence: MEDIUM
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

missing-ssl-version.conf

# ruleid: missing-ssl-version
server {
  listen              443 ssl;
  server_name         www.example.com;
  keepalive_timeout   70;

  ssl_certificate     www.example.com.crt;
  ssl_certificate_key www.example.com.key;

  location /i/ {
    alias /data/w3/images/;
  }
}

# ok: missing-ssl-version
server {
  listen              80;
  server_name         www.example.com;
  keepalive_timeout   70;

  location /i/ {
    alias /data/w3/images/;
  }
}

# ok: missing-ssl-version
server {
  listen              443 ssl;
  server_name         www.example.com;
  keepalive_timeout   70;

  ssl_certificate     www.example.com.crt;
  ssl_certificate_key www.example.com.key;
  ssl_protocols       TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  location /i/ {
    alias /data/w3/images/;
  }
}