include::../description.adoc[] == Noncompliant Code Example ``++secureProtocol++``, ``++minVersion++``/``++maxVersion++`` and ``++secureOptions++`` should not be set to use weak TLS protocols (TLSv1.1 and lower): [source,javascript] ---- let options = { secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure }; let options = { minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure maxVersion: 'TLSv1.2' }; let options = { secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 }; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled ---- https://nodejs.org/api/https.html[https] built-in module: [source,javascript] ---- let req = https.request(options, (res) => { res.on('data', (d) => { process.stdout.write(d); }); }); // Noncompliant ---- https://nodejs.org/api/tls.html[tls] built-in module: [source,javascript] ---- let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant ---- https://www.npmjs.com/package/request[request] module: [source,javascript] ---- let socket = request.get(options); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.DomainName.html[aws-cdk-lib.aws_apigateway.DomainName]: [source,javascript] ---- import { aws_apigateway as agw } from 'aws-cdk-lib'; new agw.DomainName(this, 'Example', { certificate: certificate, domainName: domainName, securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html[aws-cdk-lib.aws_opensearchservice.Domain]: [source,javascript] ---- import { aws_opensearchservice as os } from 'aws-cdk-lib'; new os.CfnDomain(this, 'Example', { domainEndpointOptions: { enforceHttps: true, }, }); // NonCompliant by default ---- == Compliant Solution Set either ``++secureProtocol++`` or ``++secureOptions++`` or ``++minVersion++`` to use secure protocols only (TLSv1.2 and higher): [source,javascript] ---- let options = { secureProtocol: 'TLSv1_2_method' }; // or let options = { secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 }; // or let options = { minVersion: 'TLSv1.2' }; ---- https://nodejs.org/api/https.html[https] built-in module: [source,javascript] ---- let req = https.request(options, (res) => { res.on('data', (d) => { process.stdout.write(d); }); }); ---- https://nodejs.org/api/tls.html[tls] built-in module: [source,javascript] ---- let socket = tls.connect(443, "www.example.com", options, () => { }); ---- https://www.npmjs.com/package/request[request] module: [source,javascript] ---- let socket = request.get(options); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.DomainName.html[aws-cdk-lib.aws_apigateway.DomainName]: [source,javascript] ---- import { aws_apigateway as agw } from 'aws-cdk-lib'; new agw.DomainName(this, 'Example', { certificate: certificate, domainName: domainName, securityPolicy: agw.SecurityPolicy.TLS_1_2, }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html[aws-cdk-lib.aws_opensearchservice.Domain]: [source,javascript] ---- import { aws_opensearchservice as os } from 'aws-cdk-lib'; new os.CfnDomain(this, 'Example', { domainEndpointOptions: { enforceHttps: true, tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07', }, }); ---- include::../see.adoc[] * https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]