rspec/rules/S4423/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

``++javax.net.ssl.SSLContext++`` library:

----
context = SSLContext.getInstance("TLSv1.1"); // Noncompliant
----

https://square.github.io/okhttp/[okhttp] library:

----
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
      .tlsVersions(TlsVersion.TLS_1_1) // Noncompliant
      .build();
----

== Compliant Solution

``++javax.net.ssl.SSLContext++`` library:

----
context = SSLContext.getInstance("TLSv1.2"); // Compliant
----

https://square.github.io/okhttp/[okhttp] library:

----
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
      .tlsVersions(TlsVersion.TLS_1_2) // Compliant
      .build();
----

== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/326.html[MITRE, CWE-327] - Inadequate Encryption Strength
* https://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-326] - Use of a Broken or Risky Cryptographic Algorithm
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
* https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https[Diagnosing TLS, SSL, and HTTPS]
* https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols[SSL and TLS Deployment Best Practices - Use secure protocols]