boost::asio TLS settings misconfigurationP
ID: cpp/boost/tls-settings-misconfiguration
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
- security
- external/cwe/cwe-326
Query suites:
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
- security
- external/cwe/cwe-326
Query suites:
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols may expose the software to known vulnerabilities or permit weak encryption algorithms to be used. Disabling the minimum-recommended protocols is also flagged.
RecommendationP
When using the TLS or SSLv23 protocol, set the no_tlsv1 and no_tlsv1_1 options, but do not set no_tlsv1_2. When using the SSLv23 protocol, also set the no_sslv3 option.
ExampleP
In the following example, the no_tlsv1_1 option has not been set. Use of TLS 1.1 is not recommended.
void useTLS_bad()
{
boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1
// ...
}
{
boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1
// ...
}
In the corrected example, the no_tlsv1 and no_tlsv1_1 options have both been set, ensuring the use of TLS 1.2 or later.
void useTLS_good()
{
boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); // GOOD
// ...
}
{
boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); // GOOD
// ...
}
ReferencesP
Common Weakness Enumeration: CWE-326.