Insecure TLS/SSL version usage
Description
This sets insecure TLS or SSL versions (e.g., TLSv1, TLSv1.1, SSLv3) in `jdk.tls.client.protocols`. These protocols are deprecated due to known vulnerabilities. Replace with TLSv1.2 or TLSv1.3.
Examples
Insecure Code
java
System.setProperty("jdk.tls.client.protocols", "TLSv1");Secure Code
java
System.setProperty("jdk.tls.client.protocols", "TLSv1.3");Remediation
Replace the insecure TLS or SSL version with a secure one, such as TLSv1.2 or TLSv1.3, in the `jdk.tls.client.protocols` property.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0668 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-326 |
| Confidence | MEDIUM |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | TLS, SSL, insecure protocol |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |