java.lang.security.audit.weak-ssl-context.weak-ssl-context

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
121,021
Download Count*
LGPL Commons Clause
License

An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance("TLSv1.2") for the best security.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: weak-ssl-context
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT
      references:
        - https://tools.ietf.org/html/rfc7568
        - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
      category: security
      technology:
        - java
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
      SSL versions are considered weak encryption and are deprecated. Use
      SSLContext.getInstance("TLSv1.2") for the best security.
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern-not: SSLContext.getInstance("TLSv1.3")
      - pattern-not: SSLContext.getInstance("TLSv1.2")
      - pattern: SSLContext.getInstance("...")
    fix-regex:
      regex: (.*?)\.getInstance\(.*?\)
      replacement: \1.getInstance("TLSv1.2")

Examples

weak-ssl-context.java

import java.lang.Runtime;

class Cls {

    public Cls() {
        System.out.println("Hello");
    }

    public void test1() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("SSL");
    }

    public void test2() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLS");
    }

    public void test3() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1");
    }

    public void test4() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("SSLv3");
    }

    public void test5() {
        // ruleid: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1.1");
    }

    public void test6() {
        // ok: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
    }

    public void test7() {
        // ok: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance("TLSv1.3");
    }

    public String getSslContext() {
        return "Anything";
    }

    public void test8() {
        // ok: weak-ssl-context
        SSLContext ctx = SSLContext.getInstance(getSslContext());
    }
}