2023-05-03 11:06:20 +02:00
== Why is this an issue?
2020-06-30 12:49:37 +02:00
include::../description.adoc[]
2023-05-03 11:06:20 +02:00
=== Noncompliant code example
2020-06-30 12:49:37 +02:00
2021-01-27 13:42:22 +01:00
``++secureProtocol++``, ``++minVersion++``/``++maxVersion++`` and ``++secureOptions++`` should not be set to use weak TLS protocols (TLSv1.1 and lower):
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:49:37 +02:00
----
let options = {
secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
};
2020-12-21 15:38:52 +01:00
let options = {
minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure
maxVersion: 'TLSv1.2'
};
2020-06-30 12:49:37 +02:00
2020-12-21 15:38:52 +01:00
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
----
https://nodejs.org/api/https.html[https] built-in module:
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-12-21 15:38:52 +01:00
----
let req = https.request(options, (res) => {
2020-06-30 12:49:37 +02:00
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
----
https://nodejs.org/api/tls.html[tls] built-in module:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:49:37 +02:00
----
2020-12-21 15:38:52 +01:00
let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant
2020-06-30 12:49:37 +02:00
----
https://www.npmjs.com/package/request[request] module:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:49:37 +02:00
----
2020-12-21 15:38:52 +01:00
let socket = request.get(options);
2020-06-30 12:49:37 +02:00
----
2022-10-10 18:04:24 +02:00
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.DomainName.html[aws-cdk-lib.aws_apigateway.DomainName]:
[source,javascript]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
certificate: certificate,
domainName: domainName,
securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html[aws-cdk-lib.aws_opensearchservice.Domain]:
[source,javascript]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';
new os.CfnDomain(this, 'Example', {
domainEndpointOptions: {
enforceHttps: true,
},
}); // NonCompliant by default
----
2023-05-03 11:06:20 +02:00
=== Compliant solution
2020-06-30 12:49:37 +02:00
2021-01-27 13:42:22 +01:00
Set either ``++secureProtocol++`` or ``++secureOptions++`` or ``++minVersion++`` to use secure protocols only (TLSv1.2 and higher):
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:49:37 +02:00
----
let options = {
secureProtocol: 'TLSv1_2_method'
};
2020-12-21 15:38:52 +01:00
// or
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
};
// or
let options = {
minVersion: 'TLSv1.2'
};
----
2020-06-30 12:49:37 +02:00
2020-12-21 15:38:52 +01:00
https://nodejs.org/api/https.html[https] built-in module:
2020-06-30 12:49:37 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-12-21 15:38:52 +01:00
----
let req = https.request(options, (res) => {
2020-06-30 12:49:37 +02:00
res.on('data', (d) => {
process.stdout.write(d);
});
2022-10-10 18:04:24 +02:00
});
2020-06-30 12:49:37 +02:00
----
https://nodejs.org/api/tls.html[tls] built-in module:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:49:37 +02:00
----
2020-12-21 15:38:52 +01:00
let socket = tls.connect(443, "www.example.com", options, () => { });
2020-06-30 12:49:37 +02:00
----
https://www.npmjs.com/package/request[request] module:
2020-06-30 14:49:38 +02:00
2022-02-04 17:28:24 +01:00
[source,javascript]
2020-06-30 12:49:37 +02:00
----
2020-12-21 15:38:52 +01:00
let socket = request.get(options);
2020-06-30 12:49:37 +02:00
----
2022-10-10 18:04:24 +02:00
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.DomainName.html[aws-cdk-lib.aws_apigateway.DomainName]:
[source,javascript]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
certificate: certificate,
domainName: domainName,
securityPolicy: agw.SecurityPolicy.TLS_1_2,
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html[aws-cdk-lib.aws_opensearchservice.Domain]:
[source,javascript]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';
new os.CfnDomain(this, 'Example', {
domainEndpointOptions: {
enforceHttps: true,
tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
},
});
----
2020-06-30 12:49:37 +02:00
include::../see.adoc[]
2022-10-10 18:04:24 +02:00
* https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
2023-05-25 14:18:12 +02:00
=== Message
==== OpenSSL and ssl modules
Change this code to use a stronger protocol.
==== AWS APIGateway
Change this code to enforce TLS 1.2 or above.
==== AWS OpenSearch / Elasticsearch
Omitting "tlsSecurityPolicy" enables a deprecated version of TLS. Set it to
enforce TLS 1.2 or above.
2021-09-20 15:38:42 +02:00
include::../highlighting.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2022-10-10 18:04:24 +02:00
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
