Insecure TLS Version Used
Description
The app uses TLS 1.0, TLS 1.1 or TLS 1.2. TLS 1.3 should be used instead. TLS versions 1.1 and 1.0 were deprecated by the IETF in June 2018 due to a number of attacks against the vulnerable versions. Use of a deprecated TLS version may result in the unauthorized retrieval of sensitive information.
Examples
Insecure Code
swift
configuration.tlsMinimumSupportedProtocol = .TLSv1_2Secure Code
swift
configuration.tlsMinimumSupportedProtocol = .TLSv13Remediation
Update the TLS version to 1.3 by setting tlsMinimumSupportedProtocol to .TLSv13
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0634 |
| Category | InsecureConfig |
| Severity | CRITICAL |
| CWE | CWE-757 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | security, tls |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |