ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4423/csharp/rule.adoc
Arseniy Zaostrovnykh 716b335a56 Enable forced linebreaks in quotes; escape -- in url
2021-02-02 16:54:43 +01:00

55 lines
2.7 KiB
Plaintext
Raw Blame History

Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or "TLSv1.3").
No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl\--schannel-ssp-[Windows 10 and Windows Server 2016 have TLSv1.0 and TLSv1.1 enabled by default]. Administrators can configure the OS to enforce TLSv1.2 minumum by https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings[updateing registry settings] or by applying a group policy.
== Noncompliant Code Example
----
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // Noncompliant; legacy version TLSv1 is enabled
----
For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]
----
new HttpClientHandler
{
SslProtocols = SslProtocols.Tls // Noncompliant; legacy version TLSv1 is enabled
};
----
== Compliant Solution
----
ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; // Compliant; choice of the SSL/TLS versions rely on the OS configuration
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13; // Compliant
----
For https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient[System.Net.Http.HttpClient]
----
new HttpClientHandler
{
SslProtocols = SslProtocols.Tls12 // Compliant
};
new HttpClientHandler
{
SslProtocols = SslProtocols.None // Compliant; choice of the TLS versions rely on the OS configuration
};
----
== See
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* http://cwe.mitre.org/data/definitions/326.html[MITRE, CWE-327] - Inadequate Encryption Strength
* http://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-326] - Use of a Broken or Risky Cryptographic Algorithm
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
* https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https[Diagnosing TLS, SSL, and HTTPS]
* https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols[SSL and TLS Deployment Best Practices - Use secure protocols]
* https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls[Transport Layer Security (TLS) best practices with the .NET Framework]
Reference in New Issue View Git Blame Copy Permalink