Use of deprecated TLS version

• Rule ID: go_gosec_crypto_weak_tls_version
• Languages: go
• Source: weak_tls_version.yml

Description

TLS (Transport Layer Security) versions 1.1 and 1.0 have been deprecated due to known security vulnerabilities that can expose sensitive data to interception and attacks. Using these versions can put data transmissions at risk.

Remediations

To ensure secure data transmission, you should enforce the use of TLS 1.3, which includes security enhancements over its predecessors. The following steps can be taken:

✅ Enforce TLS 1.3

Update your server configuration to support and prefer TLS 1.3, which includes modern security features and mitigates known vulnerabilities found in older versions.

✅ Configure Go’s TLS Library

Set MinVersion in the tls.Config struct to tls.VersionTLS13 to ensure that the server only accepts TLS 1.3 connections.

import (
  "crypto/tls"
  "log"
  "net/http"
  "time"
)

func main() {
  cert, err := tls.LoadX509KeyPair("server.crt", "server.key")
  if err != nil {
    log.Fatalf("failed to load key pair: %s", err)
  }

  cfg := &tls.Config{
    Certificates: []tls.Certificate{cert},
    MinVersion:   tls.VersionTLS13, // Enforce TLS 1.3
  }

  srv := &http.Server{
    Addr:         ":8999", // Listen on port 8999
    TLSConfig:    cfg,
    ReadTimeout:  time.Minute,
    WriteTimeout: time.Minute,
  }

  log.Printf("Server is starting...")
  log.Fatal(srv.ListenAndServeTLS("", "")) // TLS cert and key are already provided in the TLSConfig
}

✅ Perfect Forward Secrecy (PFS)

TLS 1.3 configurations ensure PFS by default, which protects past communications even if future session keys are compromised.

✅ Regularly Update Dependencies

Keep your Go version and dependencies up-to-date to benefit from the latest security fixes and improvements.

❌ Do Not Use Deprecated TLS Versions

Avoid configuring your server to accept TLS 1.0 or 1.1. Remove these options from your TLS configuration to prevent downgrade attacks.

Resources

• IETF's Deprecation of TLS 1.0 and 1.1
• OWASP TLS Cheat Sheet
• Go crypto/tls package documentation

Associated CWE

• CWE-310:

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_weak_tls_version

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_weak_tls_version