GO-S1020 · `MinVersion` is missing from this TLS configuration

MinVersion is missing from this TLS configuration GO-S1020

Security

Major

11 days ago — a year old

a05 a02 a06 cwe-327 sans top 25 owasp top 10

MinVersion is missing from this TLS configuration: tls.Config

124	}
125
126	t := common.NewDefaultTransport()
127	t.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}128
129	proxy.Transport = t
130

MinVersion is missing from this TLS configuration: tls.Config

provider/k8s/proxy.go

19	}
20
21	if common.DefaultBool(opts.TLS, false) {
22		cn = tls.Client(cn, &tls.Config{})23	}
24
25	if err := common.Pipe(cn, rw); err != nil {

MinVersion is missing from this TLS configuration: tls.Config

pkg/common/http.go

26func InsecureHTTPClient() *http.Client {
27	t := NewDefaultTransport()
28
29	t.TLSClientConfig = &tls.Config{30		InsecureSkipVerify: true,
31	}
32

Description

MinVersion is missing from this TLS configuration. As the default value is TLS 1.0, which is considered insecure, it is recommended to explicitly set the MinVersion to a secure version of TLS, such as VersionTLS13.

Bad practice

client := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            KeyLogWriter:       w,
            Rand:               rand{},
            InsecureSkipVerify: true,
        },
    },
}

convox / convox

Bad practice

Recommended

References