TLS Configuration
Description
Sensitive data must be protected when it is transmitted through the network. HTTP is a clear-text protocol and it is normally secured via an SSL/TLS tunnel, resulting in HTTPS traffic. The use of this protocol ensures not only confidentiality, but also authentication. Servers are authenticated using digital certificates and it is also possible to use client certificate for mutual authentication. A vulnerability occurs if the HTTP protocol is used to transmit sensitive information (e.g. credentials transmitted over HTTP). When the SSL/TLS service is present it is good but it increments the attack surface and the following vulnerabilities exist:
- SSL/TLS protocols, ciphers, keys and renegotiation must be properly configured.
- Certificate validity must be ensured.
Remediation
Check your TLS configuration to prevent severe cipher key exchange weaknesses. You can use mozilla's SSL Configuration Generator to generate a new SSL configuration. You can also consult RFC 9325 or mozilla's TLS recommendations for more details on how to configure a secure TLS configuration.
Configuration
Identifier:
protocol/tls_configuration_key
Examples
Ignore this check
checks:
protocol/tls_configuration_key:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API8:2023
pci: 4.1
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.10.1
nist: SP800-52
fedramp: SC-17
Classification
- CWE: 319
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CVSS_SCORE: 7.5