rspec/rules/S4423/vbnet/rule.adoc

Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.


This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or "TLSv1.3").


No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl\--schannel-ssp-[Windows 10 and Windows Server 2016 have TLSv1.0 and TLSv1.1 enabled by default]. Administrators can configure the OS to enforce TLSv1.2 minumum by https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings[updateing registry settings] or by applying a group policy.

== Noncompliant Code Example

----
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls ' Noncompliant; legacy version TLSv1 is enabled
----

For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]

----
Dim Handler As New HttpClientHandler With {.SslProtocols = SslProtocols.Tls} ' Noncompliant; legacy version TLSv1 Is enabled
----

== Compliant Solution

----
ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault  ' Compliant; choice Of the SSL/TLS versions rely On the OS configuration
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 Or SecurityProtocolType.Tls13  ' Compliant
----

For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]

----
Dim HandlerA As New HttpClientHandler With {.SslProtocols = SslProtocols.Tls12} ' Compliant
Dim HandlerB As New HttpClientHandler With {.SslProtocols = SslProtocols.None}  ' Compliant; choice Of the TLS versions rely On the OS configuration
----

== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/326.html[MITRE, CWE-327] - Inadequate Encryption Strength
* https://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-326] - Use of a Broken or Risky Cryptographic Algorithm
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
* https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols[SSL and TLS Deployment Best Practices - Use secure protocols]
* https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls[Transport Layer Security (TLS) best practices with the .NET Framework]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or "TLSv1.3").`

Force linebreaks 2021-02-02 15:02:10 +01:00
Enable forced linebreaks in quotes; escape -- in url 2021-02-02 16:54:43 +01:00			No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl\--schannel-ssp-[Windows 10 and Windows Server 2016 have TLSv1.0 and TLSv1.1 enabled by default]. Administrators can configure the OS to enforce TLSv1.2 minumum by https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings[updateing registry settings] or by applying a group policy.
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
			`== Noncompliant Code Example`

			`----`
			`ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls ' Noncompliant; legacy version TLSv1 is enabled`
			`----`

			`For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]`

			`----`
			`Dim Handler As New HttpClientHandler With {.SslProtocols = SslProtocols.Tls} ' Noncompliant; legacy version TLSv1 Is enabled`
			`----`

			`== Compliant Solution`

			`----`
			`ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault ' Compliant; choice Of the SSL/TLS versions rely On the OS configuration`
			`ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 Or SecurityProtocolType.Tls13 ' Compliant`
			`----`

			`For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]`

			`----`
			`Dim HandlerA As New HttpClientHandler With {.SslProtocols = SslProtocols.Tls12} ' Compliant`
			`Dim HandlerB As New HttpClientHandler With {.SslProtocols = SslProtocols.None} ' Compliant; choice Of the TLS versions rely On the OS configuration`
			`----`

			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
			`* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
Update 2021-02-18 15:34:22 +01:00			`* https://cwe.mitre.org/data/definitions/326.html[MITRE, CWE-327] - Inadequate Encryption Strength`
			`* https://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-326] - Use of a Broken or Risky Cryptographic Algorithm`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses`
			`* https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols[SSL and TLS Deployment Best Practices - Use secure protocols]`
			`* https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls[Transport Layer Security (TLS) best practices with the .NET Framework]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`