Why is this an issue?
Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or
"TLSv1.3").
No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of Windows 10 and Windows Server 2016 have TLSv1.0 and
TLSv1.1 enabled by default. Administrators can configure the OS to enforce TLSv1.2 minumum by updateing registry settings or by applying a group
policy.
Noncompliant code example
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // Noncompliant; legacy version TLSv1 is enabled
For System.Net.Http.HttpClient
new HttpClientHandler
{
SslProtocols = SslProtocols.Tls // Noncompliant; legacy version TLSv1 is enabled
};
Compliant solution
ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; // Compliant; choice of the SSL/TLS versions rely on the OS configuration
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13; // Compliant
For System.Net.Http.HttpClient
new HttpClientHandler
{
SslProtocols = SslProtocols.Tls12 // Compliant
};
new HttpClientHandler
{
SslProtocols = SslProtocols.None // Compliant; choice of the TLS versions rely on the OS configuration
};
Resources
