Usage of deprecated TLS version

• Rule ID: go_gosec_crypto_weak_tls_version
• Languages: go
• Source: weak_tls_version.yml

Description

TLS (Transport Layer Security) versions 1.0 and 1.1 have known vulnerabilities and using them introduces security risks to your application. These outdated TLS versions can lead to the interception and compromise of sensitive data during transmission.

Remediations

• Do enforce the use of TLS 1.3 when configuring Go's TLS library. TLS 1.3 offers significant security improvements, helping to protect data from known vulnerabilities present in older versions.

    cfg := &tls.Config{
      MinVersion:   tls.VersionTLS13,
      ...
    }

• Do utilize configurations that support Perfect Forward Secrecy (PFS) with TLS 1.3. PFS enhances security by ensuring that past communications remain secure even if future session keys are compromised.
• Do regularly update your Go version and dependencies to incorporate the latest security fixes and improvements.
• Do not configure your server to accept TLS versions 1.0 or 1.1. Removing these options from your TLS configuration is crucial to prevent downgrade attacks.

References

• IETF's Deprecation of TLS 1.0 and 1.1
• OWASP TLS Cheat Sheet
• Go crypto/tls package documentation

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_weak_tls_version

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_weak_tls_version