problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1
returntocorpAuthor
6,272
Download Count*
License
Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: disallow-old-tls-versions1
message: Detects direct creations of SSLConnectionSocketFactories that don't
disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to
validate the identity of the HTTPS server against a list of trusted
certificates. These protocols are deprecated due to POODLE, man in the
middle attacks, and other vulnerabilities.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- java
patterns:
- pattern: |
new SSLConnectionSocketFactory(...);
- pattern-not: >
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2",
"TLSv1.3"}, ...);
- pattern-not: >
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3",
"TLSv1.2"}, ...);
- pattern-not: |
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3"}, ...);
- pattern-not: |
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2"}, ...);
Examples
disallow-old-tls-versions1.java
class Bad {
public void bad_disable_old_tls1() {
//ruleid: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void bad_disable_old_tls2() {
//ruleid: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void bad_disable_old_tls2() {
//ruleid: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1", "TLSv1.1", "SSLv3"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
}
class Ok {
public void ok_disable_old_tls1() {
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1.2"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void ok_disable_old_tls2() {
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1.2", "TLSv1.3"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void ok_disable_old_tls3() {
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1.3"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
}
Short Link: https://sg.run/l25E