tls-insecure-protocol-config¶
Ensure strong TLS protocols are used
The TLS/SSL connection configuration allows insecure and deprecated versions of the protocol. There are numerous known attacks which make an otherwise secure connection subject to eavesdropping and more. SSLv2, SSLv3 should never be used. TLSv1.0 and TLSv1.1 should be deprecated where possible.
Examples¶
Insecure Example
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// The following version are insecure: VersionTLS10, VersionTLS11, VersionSSL30
MinVersion: tls.VersionSSL30, // Allow insecure version the TCP protocol (SSLv3)
// Allowing cipher suites with broken cryptography is risky
CipherSuites: []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
},
},
},
}
fetch(client, "https://tls-v1-0.badssl.com:1010/")
fetch(client, "https://rc4.badssl.com/")
}
func fetch(client *http.Client, url string) {
resp, err := client.Get(url)
if err != nil {
fmt.Println(err)
} else {
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
fmt.Println(">>> Data received over insecure TLS connection (broken cryptography)")
fmt.Println(string(body))
}
}
// "SSLv2", "SSLv3", "TLSv1.0", or "TLSv1.2" are also deprecated
SSLContext ctx = SSLContext.getInstance("SSL");
import ssl
from pyOpenSSL import SSL
# Two different ways to set an out-of-date SSL/TLS version
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
context = SSL.Context(method=SSL.SSLv2_METHOD)
const crypto = require('crypto');
https.createServer({
// secureOptions is a bitmask that requires "crypto.SSL_OP_NO_SSLv2 |
// crypto.SSL_OP_NO_SSLv3 | crypto.SSL_OP_NO_TLSv1.0" to restrict
// unsafe versions
// Instead of the secureOptions parameter, use minVersion
// if a TLS version needs to be specified.
secureOptions: crypto.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
}, app).listen(443);
Secure Example
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// if left unsetm TLSv1.0 will be used as the default
// when possible use TLSv1.2 as the minimum version
MinVersion: tls.VersionTLS12,
},
},
}
fetch(client, "https://tls-v1-0.badssl.com:1010/")
fetch(client, "https://rc4.badssl.com/")
}
func fetch(client *http.Client, url string) {
resp, err := client.Get(url)
if err != nil {
fmt.Println(err)
} else {
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
fmt.Println(">>> Data received over insecure TLS connection (broken cryptography)")
fmt.Println(string(body))
}
}
// if using SSLContext.getInstance use the most recent support version of TLS
SSLContext ctx = SSLContext.getInstance("TLSv1.2");
import ssl
from pyOpenSSL import SSL
# by default wrap_context will negotiate the highest version of TLS
# possible.
ssl.wrap_socket()
# use the create_default_context() method to use safe defaults
# which disables SSLv2 & SSLv3
context = ssl.create_default_context()
const crypto = require('crypto');
// by default minVersion will be set to TLSv1.2
https.createServer({}, app).listen(443);
// if set explicitly use minVersion instead of secureOptions
https.createServer({
minVersion: 'TLSv1.2'
}, app).listen(443);