9 lines
864 B
Plaintext
9 lines
864 B
Plaintext
This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is used or allowed.
|
|
|
|
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a less secure version.
|
|
|
|
In most cases, using the default system configuration is not compliant. Indeed,
|
|
an application might get deployed on a wide range of systems with different
|
|
configurations. While using a system's default value might be safe on modern
|
|
up-to-date systems, this might not be the case on older systems. It is therefore
|
|
recommended to explicitly set a safe configuration in every case. |