This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is
used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the
door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a
less secure version.
In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with
different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older
systems. It is therefore recommended to explicitly set a safe configuration in every case.
Noncompliant Code Example
secureProtocol, minVersion/maxVersion and secureOptions should not be set to use weak TLS
protocols (TLSv1.1 and lower):
let options = {
secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
};
let options = {
minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure
maxVersion: 'TLSv1.2'
};
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
https built-in module:
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
tls built-in module:
let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant
request module:
let socket = request.get(options);
For aws-cdk-lib.aws_apigateway.DomainName:
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
certificate: certificate,
domainName: domainName,
securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant
});
For aws-cdk-lib.aws_opensearchservice.Domain:
import { aws_opensearchservice as os } from 'aws-cdk-lib';
new os.CfnDomain(this, 'Example', {
domainEndpointOptions: {
enforceHttps: true,
},
}); // NonCompliant by default
Compliant Solution
Set either secureProtocol or secureOptions or minVersion to use secure protocols only (TLSv1.2 and
higher):
let options = {
secureProtocol: 'TLSv1_2_method'
};
// or
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
};
// or
let options = {
minVersion: 'TLSv1.2'
};
https built-in module:
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
});
tls built-in module:
let socket = tls.connect(443, "www.example.com", options, () => { });
request module:
let socket = request.get(options);
For aws-cdk-lib.aws_apigateway.DomainName:
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
certificate: certificate,
domainName: domainName,
securityPolicy: agw.SecurityPolicy.TLS_1_2,
});
For aws-cdk-lib.aws_opensearchservice.Domain:
import { aws_opensearchservice as os } from 'aws-cdk-lib';
new os.CfnDomain(this, 'Example', {
domainEndpointOptions: {
enforceHttps: true,
tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
},
});
See
