boost::asio TLS settings misconfiguration
ID: cpp/boost/tls-settings-misconfiguration
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
- security
- external/cwe/cwe-326
Query suites:
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols may expose the software to known vulnerabilities or permit weak encryption algorithms to be used. Disabling the minimum-recommended protocols is also flagged.
Recommendation
When using the TLS or SSLv23 protocol, set the
no_tlsv1
and
no_tlsv1_1
options, but do not set
no_tlsv1_2
. When using the SSLv23 protocol, also set the
no_sslv3
option.
Example
In the following example, the
no_tlsv1_1
option has not been set. Use of TLS 1.1 is not recommended.
void
useTLS_bad
()
{
boost
::
asio
::
ssl
::
context
ctx
(
boost
::
asio
::
ssl
::
context
::
tls
);
ctx
.
set_options
(
boost
::
asio
::
ssl
::
context
::
no_tlsv1
);
// BAD: missing no_tlsv1_1
// ...
}
In the corrected example, the
no_tlsv1
and
no_tlsv1_1
options have both been set, ensuring the use of TLS 1.2 or later.
void
useTLS_good
()
{
boost
::
asio
::
ssl
::
context
ctx
(
boost
::
asio
::
ssl
::
context
::
tls
);
ctx
.
set_options
(
boost
::
asio
::
ssl
::
context
::
no_tlsv1
|
boost
::
asio
::
ssl
::
context
::
no_tlsv1_1
);
// GOOD
// ...
}