GSC-G402 @ 53b9168 • superfly / flyctl

Run summary

a month ago

66e058d..53b9168

3 mins 33 s

Potentially bad TLS connection settings GSC-G402

Security

Major

1 occurrence in this check

a05 a02 cwe-295 sans top 25 owasp top 10

TLS MinVersion too low.

internal/build/imgsrc/docker.go

235		client := &http.Client{
236			Transport: &http.Transport{
237				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
238					return tls.Dial("tcp", fmt.Sprintf("%s.fly.dev:443", builderApp.Name), &tls.Config{})239				},
240			},
241		}

Description

Insecure configuration of TLS connection settings. Refer to the occurrence to understand the exact misconfiguration.

The following configurations are flagged by our systems:

InsecureSkipVerify set to true in TLS config -- https://golang.org/pkg/crypto/tls/#Config
MinVersion or MaxVersion too low.
Bad cipher suite used.

Refer to this compatibility document before making changes -- https://wiki.mozilla.org/Security/ServerSideTLS#Modern_compatibility

Bad practice

// Insecure minimum version
package main

import "crypto/tls"

func main() {
    config := &tls.Config{MinVersion: 0}
    ...
}

package main

import "crypto/tls"

func saferTLSConfig() {
    config := &tls.Config{}
    config.MinVersion = tls.VersionTLS12
    config.MaxVersion = tls.VersionTLS13
    // (or)
    config.MaxVersion = 0 // GOOD: Setting MaxVersion to 0 means that the highest version available in the package will be used.
}

superfly / flyctl

Bad practice

Recommended

References