Insecure SSL Version
ID |
go.insecure_ssl_version |
Severity |
critical |
Resource |
Misconfiguration |
Language |
Go |
Tags |
CWE:295, NIST.SP.800-53, OWASP:2021:A2, OWASP:2021:A7, PCI-DSS:6.5.4 |
Description
Insecure SSL version usage refers to using outdated SSL/TLS protocols that are susceptible to known vulnerabilities. For secure communications, using up-to-date libraries and protocols is essential.
Rationale
Using outdated SSL/TLS versions, such as SSLv2 or SSLv3, exposes applications to numerous vulnerabilities, including man-in-the-middle (MITM) attacks, due to weaknesses like the POODLE attack. Modern best practices recommend using TLSv1.2 or later.
Here is a vulnerable code example for Golang:
package main
import "crypto/tls"
func main() {
config := &tls.Config{ // FLAW
MinVersion: tls.VersionSSL30,
}
}Remediation
To mitigate insecure SSL version usage, always use the most recent and secure TLS versions.
The sanitized version of the previous example would look like this:
package main
import "crypto/tls"
func main() {
config := &tls.Config{
MinVersion: tls.VersionTLS12,
}
}References
-
CWE-295 :Improper Certificate Validation.