Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.

This rule raises an issue when an SSL/TLS is configured at application level with an insecure version (ie: a protocol different from "TLSv1.2" or "TLSv1.3").

No issue is raised when the choice of the SSL/TLS version relies on the OS configuration. Be aware that the latest version of Windows 10 and Windows Server 2016 have TLSv1.0 and TLSv1.1 enabled by default. Administrators can configure the OS to enforce TLSv1.2 minumum by updateing registry settings or by applying a group policy.

Noncompliant Code Example

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // Noncompliant; legacy version TLSv1 is enabled

For System.Net.Http.HttpClient

new HttpClientHandler
{
    SslProtocols = SslProtocols.Tls // Noncompliant; legacy version TLSv1 is enabled
};

Compliant Solution

ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; // Compliant; choice of the SSL/TLS versions rely on the OS configuration
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13; // Compliant

For System.Net.Http.HttpClient

new HttpClientHandler
{
    SslProtocols = SslProtocols.Tls12 // Compliant
};

new HttpClientHandler
{
    SslProtocols = SslProtocols.None // Compliant; choice of the TLS versions rely on the OS configuration
};

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-327 - Inadequate Encryption Strength
• MITRE, CWE-326 - Use of a Broken or Risky Cryptographic Algorithm
• SANS Top 25 - Porous Defenses
• SSL and TLS Deployment Best Practices - Use secure protocols
• Transport Layer Security (TLS) best practices with the .NET Framework