problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Detects direct creations of SSLConnectionSocketFactories that don't disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.

Run Locally

Run in CI

Defintion

rules:
  - id: disallow-old-tls-versions1
    message: Detects direct creations of SSLConnectionSocketFactories that don't
      disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to
      validate the identity of the HTTPS server against a list of trusted
      certificates. These protocols are deprecated due to POODLE, man in the
      middle attacks, and other vulnerabilities.
    severity: WARNING
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    patterns:
      - pattern: |
          new SSLConnectionSocketFactory(...);
      - pattern-not: >
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2",
          "TLSv1.3"}, ...);
      - pattern-not: >
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3",
          "TLSv1.2"}, ...);
      - pattern-not: |
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.3"}, ...);
      - pattern-not: |
          new SSLConnectionSocketFactory(..., new String[] {"TLSv1.2"}, ...);

Examples

disallow-old-tls-versions1.java

class Bad {
    public void bad_disable_old_tls1() {
        //ruleid: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void bad_disable_old_tls2() {
        //ruleid: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void bad_disable_old_tls2() {
        //ruleid: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1", "TLSv1.1", "SSLv3"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }
}

class Ok {
    public void ok_disable_old_tls1() {
        //ok: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1.2"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void ok_disable_old_tls2() {
        //ok: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1.2", "TLSv1.3"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }

    public void ok_disable_old_tls3() {
        //ok: disallow-old-tls-versions1
        SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
                sslContext,
                new String[] {"TLSv1.3"},
                null,
                SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
    }
}