go.lang.security.audit.crypto.tls.tls-with-insecure-cipher
Verifed by r2c
Community Favorite
semgrepAuthor
124,504
Download Count*
License
Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.
Run Locally
Run in CI
Defintion
rules:
- id: tls-with-insecure-cipher
message: Detected an insecure CipherSuite via the 'tls' module. This suite is
considered weak. Use the function 'tls.CipherSuites()' to get a list of
good cipher suites. See
https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what
other cipher suites to use.
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls.go
references:
- https://golang.org/pkg/crypto/tls/#InsecureCipherSuites
category: security
technology:
- go
confidence: HIGH
subcategory:
- vuln
likelihood: HIGH
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- go
severity: WARNING
pattern-either:
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_RSA_WITH_RC4_128_SHA, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}}
- pattern: >
tls.Config{..., CipherSuites: []$TYPE{...,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}}
- pattern: |
tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA, ...}
- pattern: |
tls.CipherSuite{..., TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}
- pattern: |
tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256, ...}
- pattern: |
tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}
- pattern: |
tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}
- pattern: |
tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}
- pattern: |
tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}
- pattern: |
tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}
Examples
tls.go
// Insecure ciphersuite selection
package main
import (
"crypto/tls"
"fmt"
"net/http"
)
func main() {
tr := &http.Transport{
// ruleid: tls-with-insecure-cipher
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
}},
}
client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
tr := &http.Transport{
// should be fine
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_AES_256_GCM_SHA384,
}},
}
client := &http.Client{Transport: tr}
}
Short Link: https://sg.run/px8N