Usage of an insecure TLS protocol version JS-S1009

It is not recommended to use TLS protocol versions less than 1.2. Using outdated TLS protocol versions lead to the use of outdated, vulnerable cipher suites. TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages. TLS 1.1 or below does not provide the option to select more robust hashing algorithms, which the newer protocols do.

This issue is detected when the secureProtocol or minVersion and maxVersion options are set to a version less that 1.2 and used with tls, https or request modules.

Bad Practice

const options = {
    secureProtocol: 'TLSv1_method', // insecure version
    minVersion: 'TLSv1.1', // insecure version
    maxVersion: 'TLSv1.2'
}

const connection = tls.connect(443, 'www.abc.com', options, () => { })

const req = https.request(options, res => {  })

const socket = request.get(options)

Recommended

const options = {
    secureProtocol: 'TLSv1_2_method',
    minVersion: 'TLSv1.2',
    maxVersion: 'TLSv1.3'
}

const connection = tls.connect(443, 'www.abc.com', options, () => { })

const req = https.request(options, res => {  })

const socket = request.get(options)

References

• OWASP - A2:2021
• OWASP - A7:2021
• OWASP - A3:2017
• OWASP - A6:2017