TLS Configuration Server Defaults
Description
Sensitive data must be protected when it is transmitted through the network. HTTP is a clear-text protocol and it is normally secured via an SSL/TLS tunnel, resulting in HTTPS traffic. The use of this protocol ensures not only confidentiality, but also authentication. Servers are authenticated using digital certificates and it is also possible to use client certificate for mutual authentication. A vulnerability occurs if the HTTP protocol is used to transmit sensitive information (e.g. credentials transmitted over HTTP). When the SSL/TLS service is present it is good but it increments the attack surface and the following vulnerabilities exist:
- SSL/TLS protocols, ciphers, keys and renegotiation must be properly configured.
- Certificate validity must be ensured.
Remediation
Check your server's default TLS configuration to protect your server, check your certificates expiraiton dates and renew them if needed. You can use mozilla's SSL Configuration Generator to generate a new SSL configuration. You can also consult RFC 9325 or mozilla's TLS recommendations for more details on how to configure a secure TLS configuration.
Configuration
Identifier:
protocol/tls_configuration_server_default
Examples
Ignore this check
checks:
protocol/tls_configuration_server_default:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
OWASP: API8:2023
pci: 4.1
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.10.1
nist: SP800-52
fedramp: SC-8
Classification
- CWE: 319
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CVSS_SCORE: 5.3