SV.WEAK.TLS

Weak SSL/TLS protocols should not be used.

Klocwork reports an SV.WEAK.TLS defect if a weak TLS protocol such as 1.0 or 1.1 is used.

Vulnerability and risk

Security experts widely recommend enforcing TLS 1.2 as the minimum protocol version; they recommend disallowing older versions, such as TLS 1.0 or 1.1. Failure to do so can open the door to downgrade attacks where a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a less secure version.

Mitigation and prevention

More secure protocols like TLS 1.2 and later versions should be used.

Vulnerable code example 1

Copy
import javax.net.ssl.*;
public class Test {
  public void test() throws Exception {
    SSLContext context = SSLContext.getInstance("TLSv1.1");
  }
}

Klocwork reports an SV.WEAK.TLS defect on line 4, indicating, "Recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0/1.1 as it is less secure."

Fixed code example 1

Copy
import javax.net.ssl.*;
public class Test {
  public void test() throws Exception {
    SSLContext context = SSLContext.getInstance("TLSv1.2");
  }
}

Klocwork no longer reports a defect because TLS 1.2 is used.

Vulnerable code example 2

Copy
import javax.net.ssl.*;
public class Test {
  public void test() {
    SSLSocket socket = null;
            try {
            SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            socket = (SSLSocket) factory.createSocket("abc.com", 443);
            socket.setEnabledProtocols(new String[] {"TLSv1.0"});
            socket.startHandshake();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (socket != null) {
                socket.close();
            }
        }
  }
}

Klocwork reports an SV.WEAK.TLS defect on line 7, indicating, "Recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0/1.1 as it is less secure."

Fixed code example 2

Copy
import javax.net.ssl.*;
public class Test {
  public void test() {
    SSLSocket socket = null;
            try {
            SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            socket = (SSLSocket) factory.createSocket("abc.com", 443);
            socket.setEnabledProtocols(new String[] {"TLSv1.2"});
            socket.startHandshake();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (socket != null) {
                socket.close();
            }
        }
  }
}

Klocwork no longer reports a defect because TLS 1.2 is used.

Vulnerable code example 3

Copy
import javax.net.ssl.*;
public class Test {
  public void test() {
        SSLServerSocket serverSocket = null;
           try {
           SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
           serverSocket = (SSLServerSocket) factory.createServerSocket(8980);
           SSLParameters params = new SSLParameters();
           params.setProtocols(new String[] {"TLSv1.1"});
           serverSocket.setSSLParameters(params);
           SSLSocket sslSocket = (SSLSocket) serverSocket.accept();       
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (serverSocket != null) {
                serverSocket.close();
            }
        }
  }
}

Klocwork reports an SV.WEAK.TLS defect on line 9, indicating, "Recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0/1.1 as it is less secure."

Fixed code example 3

Copy
import javax.net.ssl.*;
public class Test {
  public void test() {
        SSLServerSocket serverSocket = null;
           try {
           SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
           serverSocket = (SSLServerSocket) factory.createServerSocket(8980);
           SSLParameters params = new SSLParameters();
           params.setProtocols(new String[] {"TLSv1.3"});
           serverSocket.setSSLParameters(params);
           SSLSocket sslSocket = (SSLSocket) serverSocket.accept();       
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (serverSocket != null) {
                serverSocket.close();
            }
        }
  }
}

Klocwork no longer reports a defect because TLS 1.3 is used.

Security training

Application security training materials provided by Secure Code Warrior.