problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1

semgrep

Author

6,272

Download Count*

License

Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: disallow-old-tls-versions1
    message: Detects direct creations of SSLConnectionSocketFactories that don't
      disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to
      validate the identity of the HTTPS server against a list of trusted
      certificates. These protocols are deprecated due to POODLE, man in the
      middle attacks, and other vulnerabilities.
    severity: WARNING
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - java
    patterns:
      - pattern: |
          new SSLConnectionSocketFactory(...);
      - pattern-not: >
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2",
          "TLSv1.3"}, ...);
      - pattern-not: >
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3",
          "TLSv1.2"}, ...);
      - pattern-not: |
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3"}, ...);
      - pattern-not: |
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2"}, ...);
      - pattern-not-inside: >
          (SSLConnectionSocketFactory $SF) = new
          SSLConnectionSocketFactory(...); ... (TlsConfig $TLSCONFIG) =
          TlsConfig.custom(). ... .setSupportedProtocols(TLS.V_1_2). ...
          .build(); ... HttpClientConnectionManager cm = $CM.create(). ...
          .setSSLSocketFactory($SF). ... .setDefaultTlsConfig($TLSCONFIG). ...
          .build();
      - pattern-not-inside: >
          (SSLConnectionSocketFactory $SF) = new
          SSLConnectionSocketFactory(...); ... (TlsConfig $TLSCONFIG) =
          TlsConfig.custom(). ... .setSupportedProtocols(TLS.V_1_3). ...
          .build(); ... HttpClientConnectionManager cm = $CM.create(). ...
          .setSSLSocketFactory($SF). ... .setDefaultTlsConfig($TLSCONFIG). ...
          .build();

Examples

disallow-old-tls-versions1.java

class Bad {
    public void bad_disable_old_tls1() {
        //ruleid: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void bad_disable_old_tls2() {
        //ruleid: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void bad_disable_old_tls2() {
        //ruleid: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1", "TLSv1.1", "SSLv3"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }
}

class Ok {
    public void ok_disable_old_tls1() {
        //ok: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1.2"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void ok_disable_old_tls2() {
        //ok: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1.2", "TLSv1.3"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void ok_disable_old_tls3() {
        //ok: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1.3"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void ok_disable_old_tls4() {
            TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
			SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
            //ok: disallow-old-tls-versions1
			SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
			TlsConfig tlsConfig = TlsConfig.custom().setHandshakeTimeout(Timeout.ofSeconds(30)).setSupportedProtocols(TLS.V_1_3).build();
			HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(csf).setDefaultTlsConfig(tlsConfig).build();
			CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(cm).build();
			HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
			requestFactory.setHttpClient(httpClient);
			restTemplate = new RestTemplate(requestFactory);
    }
}

Short Link: https://sg.run/l25E