Skip to main content

TLS Protocol Configuration

Description

Sensitive data must be protected when it is transmitted through the network. HTTP is a clear-text protocol and it is normally secured via an SSL/TLS tunnel, resulting in HTTPS traffic. The use of this protocol ensures not only confidentiality, but also authentication. Servers are authenticated using digital certificates and it is also possible to use client certificate for mutual authentication. A vulnerability occurs if the HTTP protocol is used to transmit sensitive information (e.g. credentials transmitted over HTTP). When the SSL/TLS service is present it is good but it increments the attack surface and the following vulnerabilities exist:

  • SSL/TLS protocols, ciphers, keys and renegotiation must be properly configured.
  • Certificate validity must be ensured.

Remediation

Check your TLS configuration to prevent severe cipher key exchange weaknesses. You can use mozilla's SSL Configuration Generator to generate a new SSL configuration. You can also consult RFC 9325 or mozilla's TLS recommendations for more details on how to configure a secure TLS configuration.

Configuration

Identifier: protocol/tls_configuration_key

Examples

Ignore this check

checks:
protocol/tls_configuration_key:
skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API8:2023

  • pci: 4.1

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.10.1

  • nist: SP800-52

  • fedramp: SC-17

Classification

  • CWE: 319

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CVSS_SCORE: 7.5

References