Insecure SSL Protocol

Description

Avoid initializing SSLContext with insecure protocols like `SSL`, `SSLv2`, or `SSLv3`. These protocols are outdated and do not validate certificates by default. Additionally, these older `SSL` versions have many known security issues. Instead, use secure protocols like `TLSv1.2` or `TLSv1.3`.

Examples

Insecure Code

java

SSLContext context = SSLContext.getInstance("SSL");

Secure Code

java

SSLContext context = SSLContext.getInstance("TLSv1.3");

Remediation

Use secure protocols like `TLSv1.2` or `TLSv1.3` when initializing SSLContext, e.g., `SSLContext context = SSLContext.getInstance("TLSv1.3");`

Rule Details

Field	Value
ID	CODE-0698
Category	Crypto
Severity	MEDIUM
CWE	CWE-295
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	insecure protocol, SSLContext
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insecure SSL Protocol

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Insecure SSL Protocol ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Insecure SSL Protocol

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details