javax.net.ssl.SSLContext.getInstance returns a SSLContext object that implements the specified secure socket protocol. However, not all protocols are created equal and some legacy ones like "SSL", have been proven to be insecure.

This rule raises an issue when an SSLContext is created with an insecure protocol (ie: a protocol different from "TLSv1.2" or "DTLSv1.2").

Note that calling SSLContext.getInstance(...) with "TLSv1.2" or "DTLSv1.2" doesn't prevent protocol version negotiation. For example, if a client connects with "TLSv1.1" and the server used SSLContext.getInstance("TLSv1.2"), the connection will use "TLSv1.1". It is possible to enable only specific protocol versions by calling setEnabledProtocols on SSLSocket, SSLServerSocket or SSLEngine. However this should be rarely needed as clients usually ask for the most secure protocol supported.

Noncompliant Code Example

context = SSLContext.getInstance("SSL"); // Noncompliant

Compliant Solution

context = SSLContext.getInstance("TLSv1.2");

See