This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a less secure version.
secureProtocol, minVersion/maxVersion and secureOptions should not be set to use weak TLS
protocols (TLSv1.1 and lower):
let options = {
secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
};
let options = {
minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure
maxVersion: 'TLSv1.2'
};
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
https built-in module:
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
tls built-in module:
let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant
request module:
let socket = request.get(options);
Set either secureProtocol or secureOptions or minVersion to use secure protocols only (TLSv1.2 and
higher):
let options = {
secureProtocol: 'TLSv1_2_method'
};
// or
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
};
// or
let options = {
minVersion: 'TLSv1.2'
};
https built-in module:
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Compliant
tls built-in module:
let socket = tls.connect(443, "www.example.com", options, () => { });
request module:
let socket = request.get(options);