Missing TLS MinVersion

• Rule ID: go_lang_missing_tls_minversion
• Languages: go
• Source: missing_tls_minversion.yml

Description

Older versions of TLS (Transport Layer Security) have been deprecated because of known security issues. To enhance security, it is crucial to specify the highest possible minimum version of TLS that your server will accept.

Remediations

• Do set MinVersion in the tls.Config struct to tls.VersionTLS13. This ensures your server only accepts connections using the most secure, up-to-date version of TLS.

  {
    MinVersion: tls.VersionTLS13
  }

• Do configure MinVersion to the highest possible supported version of TLS for legacy applications that cannot use TLS 1.3. This step is essential for maintaining security while ensuring compatibility.

References

• OWASP TLS Cipher String Cheat Sheet

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_missing_tls_minversion

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_missing_tls_minversion