go.lang.security.audit.crypto.tls.tls-with-insecure-cipher

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
124,504
Download Count*
LGPL Commons Clause
License

Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: tls-with-insecure-cipher
    message: Detected an insecure CipherSuite via the 'tls' module. This suite is
      considered weak. Use the function 'tls.CipherSuites()' to get a list of
      good cipher suites. See
      https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what
      other cipher suites to use.
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls.go
      references:
        - https://golang.org/pkg/crypto/tls/#InsecureCipherSuites
      category: security
      technology:
        - go
      confidence: HIGH
      subcategory:
        - vuln
      likelihood: HIGH
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: WARNING
    pattern-either:
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_RSA_WITH_RC4_128_SHA, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_RSA_WITH_AES_128_CBC_SHA256, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}}
      - pattern: >
          tls.Config{..., CipherSuites: []$TYPE{...,
          tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}}
      - pattern: |
          tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}
      - pattern: |
          tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}

Examples

tls.go

// Insecure ciphersuite selection
package main

import (
	"crypto/tls"
	"fmt"
	"net/http"
)

func main() {
	tr := &http.Transport{
        // ruleid: tls-with-insecure-cipher
		TLSClientConfig: &tls.Config{CipherSuites: []uint16{
			tls.TLS_RSA_WITH_RC4_128_SHA,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
		}},
	}
	client := &http.Client{Transport: tr}
	_, err := client.Get("https://golang.org/")
	if err != nil {
		fmt.Println(err)
	}

	tr := &http.Transport{
		// should be fine
		TLSClientConfig: &tls.Config{CipherSuites: []uint16{
			tls.TLS_AES_128_GCM_SHA256,
			tls.TLS_AES_256_GCM_SHA384,
		}},
	}
	client := &http.Client{Transport: tr}
}