Use of a broken or risky cryptographic algorithm
- Rule ID: go_gosec_crypto_bad_tls_settings
- Languages: go
- Source: bad_tls_settings.yml
A security concern arises when a cryptographically insecure cipher suite is used in an application. Such cipher suites may be vulnerable to various types of attacks, reducing the security of the communication channel.
To enhance the security of TLS connections, it is crucial to use up-to-date and secure cipher suites and protocols. Here are the recommended steps to ensure the use of secure ciphers:
✅ Use Modern, Secure Cipher Suites
Select cipher suites that are known to be secure and have properties such as Perfect Forward Secrecy (PFS), which protects past communications even if future private keys are compromised.
✅ Adopt TLS 1.3 Where Possible
TLS 1.3 should be the preferred protocol as it includes improvements over previous versions, making it more secure against various attacks. Go's standard library will automatically prefer the most secure protocol and cipher suite available during the TLS handshake.
✅ Configure TLS Properly If Using TLS 1.0-1.2
In cases where TLS 1.3 is not an option and you must use TLS 1.0-1.2, ensure to configure the cipher suites to use those that support PFS, as listed below.
❌ Avoid Using Obsolete or Insecure Cipher Suites
Avoid any cipher suites that do not support modern security standards, including those without PFS or with known vulnerabilities.
The provided Go code examples demonstrate how to configure the
tls.Config struct for a Go server to use TLS 1.3 or to specify a list of secure cipher suites when using TLS 1.0-1.2.
- Mozilla's SSL Configuration Generator
- OWASP TLS Cipher String Cheat Sheet
- RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_bad_tls_settings
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_bad_tls_settings
Ready to take the next step? Learn more about Bearer Cloud.