The analyzer has detected that the application uses legacy versions of the SSL/TLS protocol. This can expose the application to attacks such as man-in-the-middle, BEAST, etc.
Issues related to the use of outdated protocols can fall into two OWASP Top 10 2021 categories:
Look at the following example:
private void createSocket() {
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("TLSv1"); // <=
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
try {
sslContext.init(null, null, new SecureRandom());
var socketFactory = sslContext.getSocketFactory();
var socket = (SSLSocket) socketFactory.createSocket();
// ....
socket.close();
} catch (KeyManagementException | IOException e) {
throw new RuntimeException(e);
}
}The code above contains the TLSv1 value that represents the 1.0 version of the TLS protocol. This version is outdated and not recommended because TLS 1.0 is vulnerable to a number of attacks, including the aforementioned BEAST.
Experts recommend using newer protocol versions, such as TLS 1.2:
private void createSocket() {
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("TLSv1.2");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
try {
sslContext.init(null, null, new SecureRandom());
var socketFactory = sslContext.getSocketFactory();
var socket = (SSLSocket) socketFactory.createSocket();
// ....
socket.close();
} catch (KeyManagementException | IOException e) {
throw new RuntimeException(e);
}
}Protocol versions below TLS 1.2 are not recommended as they may cause security issues. These protocols include SSL 2.0 and 3.0, as well as TLS 1.0 and 1.1.
Usually, TLS is the most appropriate value, which allows the platform to choose the data transfer protocol. If for some reason the value does not fit, set the latest version available.