Use of a broken or risky cryptographic algorithm
Description
Usage of a cryptographically insecure cipher suite has been detected. It is recommended that alternative ciphers be used instead. It is strongly recommended that all TLS connections use TLS 1.3 as it will automatically choose the most secure cipher when negotiating the TLS handshake with client or servers. TLS 1.3 cipher suites are configured to require Perfect Forward Secrecy (PFS).
Examples
Insecure Code
tls.Config{..., CipherSuites: []uint16{...},...}Secure Code
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
}Remediation
Update the TLS configuration to use secure cipher suites, such as TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, or TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305. Consider using TLS 1.3 for automatic selection of secure ciphers.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0775 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | cipher suite, TLS, cryptographic algorithm |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |