Inadequate encryption strength
Description
The application was found enabling insecure TLS protocol versions. When enabling protocol versions for an `SSLContext`, only the following versions should be allowed: TLSv1.2, TLSv1.3, DTLSv1.2, DTLSv1.3. To mitigate potential security risks, it is strongly advised to enforce TLS 1.2 as the minimum protocol version and disallow older versions such as TLS 1.0.
Examples
Insecure Code
java
SSLContext.getInstance("TLSv1.0");Secure Code
java
SSLContext.getInstance("TLSv1.2");Remediation
Explicitly define a secure configuration by setting the enabled protocols to TLSv1.2, TLSv1.3, DTLSv1.2, or DTLSv1.3 when creating an SSLContext.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0699 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-326 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | insecure protocol, TLS version |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |