Use of deprecated TLS version
Description
TLS versions 1.1 and 1.0 were deprecated by the IETF in June 2018 due to a number of attacks against the vulnerable versions. Use of a deprecated TLS version may result in the unauthorized retrieval of sensitive information. It is strongly recommended that all TLS connections use TLS 1.3 as Go will automatically choose the most secure cipher when negotiating the TLS handshake with client or servers.
Examples
Insecure Code
go
tls.Config{MinVersion: tls.VersionTLS11}Secure Code
go
tls.Config{MinVersion: tls.VersionTLS13}Remediation
Update the TLS version to 1.3 by setting MinVersion to tls.VersionTLS13 in the tls.Config
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0777 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-310 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | TLS, deprecated version |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |