Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure. This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or "TLSv1.3"). No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl\--schannel-ssp-[Windows 10 and Windows Server 2016 have TLSv1.0 and TLSv1.1 enabled by default]. Administrators can configure the OS to enforce TLSv1.2 minumum by https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings[updateing registry settings] or by applying a group policy. == Noncompliant Code Example [source,csharp] ---- ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // Noncompliant; legacy version TLSv1 is enabled ---- For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient] [source,csharp] ---- new HttpClientHandler { SslProtocols = SslProtocols.Tls // Noncompliant; legacy version TLSv1 is enabled }; ---- == Compliant Solution [source,csharp] ---- ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; // Compliant; choice of the SSL/TLS versions rely on the OS configuration ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13; // Compliant ---- For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient] [source,csharp] ---- new HttpClientHandler { SslProtocols = SslProtocols.Tls12 // Compliant }; new HttpClientHandler { SslProtocols = SslProtocols.None // Compliant; choice of the TLS versions rely on the OS configuration }; ---- == See * https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures * https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures * https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure * https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration * https://cwe.mitre.org/data/definitions/326[MITRE, CWE-327] - Inadequate Encryption Strength * https://cwe.mitre.org/data/definitions/327[MITRE, CWE-326] - Use of a Broken or Risky Cryptographic Algorithm * https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses * https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols[SSL and TLS Deployment Best Practices - Use secure protocols] * https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls[Transport Layer Security (TLS) best practices with the .NET Framework] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::comments-and-links.adoc[] endif::env-github,rspecator-view[]