This rule raises an issue when an insecure TLS protocol version is used (ie: a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2" or "DTLSv1.3").
secureProtocol, minVersion/maxVersion and secureOptions should not be set to use weak TLS
protocols (TLSv1.1 and lower):
let options = {
secureProtocol: 'TLSv1_method' // Noncompliant: TLS1.0 is insecure
};
let options = {
minVersion: 'TLSv1.1', // Noncompliant: TLS1.1 is insecure
maxVersion: 'TLSv1.2'
};
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1
}; // Noncompliant TLS 1.1 (constants.SSL_OP_NO_TLSv1_1) is not disabled
https built-in module:
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Noncompliant
tls built-in module:
let socket = tls.connect(443, "www.example.com", options, () => { }); // Noncompliant
request module:
let socket = request.get(options);
Set either secureProtocol or secureOptions or minVersion to use secure protocols only (TLSv1.2 and
higher):
let options = {
secureProtocol: 'TLSv1_2_method'
};
// or
let options = {
secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1
};
// or
let options = {
minVersion: 'TLSv1.2'
};
https built-in module:
let req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Compliant
tls built-in module:
let socket = tls.connect(443, "www.example.com", options, () => { });
request module:
let socket = request.get(options);