Enforce secure TLS version

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: kotlin-security/enforce-secure-tls

Language: Kotlin

Severity: Error

Category: Security

CWE: 757

Description

This rule enforces the use of secure Transport Layer Security (TLS) versions in Kotlin applications. TLS is a protocol that ensures privacy and data integrity between applications communicating over a network. Older versions of TLS, specifically versions 1.0 and 1.1, have known vulnerabilities and are no longer considered secure.

Failing to use a secure TLS version can expose sensitive information to attackers and compromise the security of your application. It’s crucial to ensure that your Kotlin application is configured to use a secure TLS version.

To adhere to this rule, always use TLS version 1.2 or 1.3 in your Kotlin code. For example, when using the OkHttpClient library, you can specify the TLS version by using the ConnectionSpec.MODERN_TLS or by manually setting the SSLContext to TLSv1.2 or TLSv1.3. Avoid using ConnectionSpec.COMPATIBLE_TLS, which allows for the use of insecure TLS versions.

Non-Compliant Code Examples

import okhttp3.ConnectionSpec
import okhttp3.OkHttpClient

val client = OkHttpClient.Builder()
    .connectionSpecs(listOf(ConnectionSpec.COMPATIBLE_TLS))  // Insecure: allows older versions
    .build()

import javax.net.ssl.SSLContext

// Weak TLS versions
val sslContext1 = SSLContext.getInstance("TLSv1")      // Insecure
val sslContext2 = SSLContext.getInstance("TLSv1.1")    // Insecure
val sslContext3 = SSLContext.getInstance("SSLv3")      // Insecure

// Weak configuration in OkHttpClient
val client = OkHttpClient.Builder()
    .sslSocketFactory(sslContext1.socketFactory)       // Noncompliant
    .build()

Compliant Code Examples

import okhttp3.ConnectionSpec
import okhttp3.OkHttpClient

val client = OkHttpClient.Builder()
    .connectionSpecs(listOf(ConnectionSpec.MODERN_TLS))  // Enforces TLS 1.2+
    .build()

import javax.net.ssl.SSLContext

// Use TLS 1.2 or 1.3
val sslContext = SSLContext.getInstance("TLSv1.2")  // TLSv1.3 also acceptable

// Configure OkHttpClient with strong TLS
val client = OkHttpClient.Builder()
    .sslSocketFactory(sslContext.socketFactory)
    .build()
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

원활한 통합. Datadog Code Security를 경험해 보세요

Datadog Code Security