ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4423/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

88 lines
3.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

== Why is this an issue?
Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or "TLSv1.3").
No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl\--schannel-ssp-[Windows 10 and Windows Server 2016 have TLSv1.0 and TLSv1.1 enabled by default]. Administrators can configure the OS to enforce TLSv1.2 minumum by https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings[updateing registry settings] or by applying a group policy.
=== Noncompliant code example
[source,csharp]
----
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // Noncompliant; legacy version TLSv1 is enabled
----
For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]
[source,csharp]
----
new HttpClientHandler
{
SslProtocols = SslProtocols.Tls // Noncompliant; legacy version TLSv1 is enabled
};
----
=== Compliant solution
[source,csharp]
----
ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; // Compliant; choice of the SSL/TLS versions rely on the OS configuration
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13; // Compliant
----
For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]
[source,csharp]
----
new HttpClientHandler
{
SslProtocols = SslProtocols.Tls12 // Compliant
};
new HttpClientHandler
{
SslProtocols = SslProtocols.None // Compliant; choice of the TLS versions rely on the OS configuration
};
----
== Resources
* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-327] - Inadequate Encryption Strength
* https://cwe.mitre.org/data/definitions/327[MITRE, CWE-326] - Use of a Broken or Risky Cryptographic Algorithm
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
* https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols[SSL and TLS Deployment Best Practices - Use secure protocols]
* https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls[Transport Layer Security (TLS) best practices with the .NET Framework]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 14 Dec 2020, 13:45:35 Čaba Šagi wrote:
Additional cases to cover:
* The default value of  ServicePointManager.SecurityProtocol is unsecure for .net framework versions earlier than 4.7.
* The default SslProtocol for https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=net-5.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_[SSLStream] is unsecure for framework versions earlier than 4.7
 
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink