GSC-G402 · Potentially bad TLS connection settings

Potentially bad TLS connection settings GSC-G402

Security

Major

6 months ago — 2 years old

a05 a02 cwe-295 sans top 25 owasp top 10

TLS InsecureSkipVerify may be true.

205		return nil
206	}
207	return &tls.Config{
208		InsecureSkipVerify: cfg.AllowInsecureConnections,209		RootCAs:            loadCertPool(cfg.DisableSystemCaPool, cfg.CaCerts, logger),
210		MinVersion:         parseTLSVersion(cfg.MinVersion),
211		MaxVersion:         parseTLSVersion(cfg.MaxVersion),

TLS MinVersion too low.

transport/http/server/server.go

175		logger = logging.NoOp
176	}
177
178	tlsConfig := &tls.Config{179		MinVersion:       parseTLSVersion(cfg.MinVersion),
180		MaxVersion:       parseTLSVersion(cfg.MaxVersion),
181		CurvePreferences: parseCurveIDs(cfg.CurvePreferences),

Description

Insecure configuration of TLS connection settings. Refer to the occurrence to understand the exact misconfiguration.

The following configurations are flagged by our systems:

InsecureSkipVerify set to true in TLS config -- https://golang.org/pkg/crypto/tls/#Config
MinVersion or MaxVersion too low.
Bad cipher suite used.

Refer to this compatibility document before making changes -- https://wiki.mozilla.org/Security/ServerSideTLS#Modern_compatibility

Bad practice

// Insecure minimum version
package main

import "crypto/tls"

func main() {
    config := &tls.Config{MinVersion: 0}
    ...
}

package main

import "crypto/tls"

func saferTLSConfig() {
    config := &tls.Config{}
    config.MinVersion = tls.VersionTLS12
    config.MaxVersion = tls.VersionTLS13
    // (or)
    config.MaxVersion = 0 // GOOD: Setting MaxVersion to 0 means that the highest version available in the package will be used.
}

luraproject / lura

Bad practice

Recommended

References