problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1
semgrep
Author
6,272
Download Count*
License
Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: disallow-old-tls-versions1
message: Detects direct creations of SSLConnectionSocketFactories that don't
disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to
validate the identity of the HTTPS server against a list of trusted
certificates. These protocols are deprecated due to POODLE, man in the
middle attacks, and other vulnerabilities.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
patterns:
- pattern: |
new SSLConnectionSocketFactory(...);
- pattern-not: >
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2",
"TLSv1.3"}, ...);
- pattern-not: >
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3",
"TLSv1.2"}, ...);
- pattern-not: |
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3"}, ...);
- pattern-not: |
new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2"}, ...);
- pattern-not-inside: >
(SSLConnectionSocketFactory $SF) = new
SSLConnectionSocketFactory(...); ... (TlsConfig $TLSCONFIG) =
TlsConfig.custom(). ... .setSupportedProtocols(TLS.V_1_2). ...
.build(); ... HttpClientConnectionManager cm = $CM.create(). ...
.setSSLSocketFactory($SF). ... .setDefaultTlsConfig($TLSCONFIG). ...
.build();
- pattern-not-inside: >
(SSLConnectionSocketFactory $SF) = new
SSLConnectionSocketFactory(...); ... (TlsConfig $TLSCONFIG) =
TlsConfig.custom(). ... .setSupportedProtocols(TLS.V_1_3). ...
.build(); ... HttpClientConnectionManager cm = $CM.create(). ...
.setSSLSocketFactory($SF). ... .setDefaultTlsConfig($TLSCONFIG). ...
.build();
Examples
disallow-old-tls-versions1.java
class Bad {
public void bad_disable_old_tls1() {
//ruleid: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void bad_disable_old_tls2() {
//ruleid: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void bad_disable_old_tls2() {
//ruleid: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1", "TLSv1.1", "SSLv3"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
}
class Ok {
public void ok_disable_old_tls1() {
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1.2"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void ok_disable_old_tls2() {
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1.2", "TLSv1.3"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void ok_disable_old_tls3() {
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1.3"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
}
public void ok_disable_old_tls4() {
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
//ok: disallow-old-tls-versions1
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
TlsConfig tlsConfig = TlsConfig.custom().setHandshakeTimeout(Timeout.ofSeconds(30)).setSupportedProtocols(TLS.V_1_3).build();
HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(csf).setDefaultTlsConfig(tlsConfig).build();
CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(cm).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
restTemplate = new RestTemplate(requestFactory);
}
}
Short Link: https://sg.run/l25E