java.lang.security.audit.weak-ssl-context.weak-ssl-context
Verifed by r2c
Community Favorite

Author
121,021
Download Count*
License
An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance("TLSv1.2") for the best security.
Run Locally
Run in CI
Defintion
rules:
- id: weak-ssl-context
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT
references:
- https://tools.ietf.org/html/rfc7568
- https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
category: security
technology:
- java
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
SSL versions are considered weak encryption and are deprecated. Use
SSLContext.getInstance("TLSv1.2") for the best security.
severity: WARNING
languages:
- java
patterns:
- pattern-not: SSLContext.getInstance("TLSv1.3")
- pattern-not: SSLContext.getInstance("TLSv1.2")
- pattern: SSLContext.getInstance("...")
fix-regex:
regex: (.*?)\.getInstance\(.*?\)
replacement: \1.getInstance("TLSv1.2")
Examples
weak-ssl-context.java
import java.lang.Runtime;
class Cls {
public Cls() {
System.out.println("Hello");
}
public void test1() {
// ruleid: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("SSL");
}
public void test2() {
// ruleid: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("TLS");
}
public void test3() {
// ruleid: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("TLSv1");
}
public void test4() {
// ruleid: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("SSLv3");
}
public void test5() {
// ruleid: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("TLSv1.1");
}
public void test6() {
// ok: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("TLSv1.2");
}
public void test7() {
// ok: weak-ssl-context
SSLContext ctx = SSLContext.getInstance("TLSv1.3");
}
public String getSslContext() {
return "Anything";
}
public void test8() {
// ok: weak-ssl-context
SSLContext ctx = SSLContext.getInstance(getSslContext());
}
}
Short Link: https://sg.run/4x7E