boost::asio TLS settings misconfiguration¶
ID: cpp/boost/tls-settings-misconfiguration Kind: problem Security severity: 7.5 Severity: error Precision: medium Tags: - security - external/cwe/cwe-326 Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls Click to see the query in the CodeQL repository
Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols may expose the software to known vulnerabilities or permit weak encryption algorithms to be used. Disabling the minimum-recommended protocols is also flagged.
Recommendation¶
When using the TLS or SSLv23 protocol, set the no_tlsv1 and no_tlsv1_1 options, but do not set no_tlsv1_2. When using the SSLv23 protocol, also set the no_sslv3 option.
Example¶
In the following example, the no_tlsv1_1 option has not been set. Use of TLS 1.1 is not recommended.
void useTLS_bad() { boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1 // ... } In the corrected example, the no_tlsv1 and no_tlsv1_1 options have both been set, ensuring the use of TLS 1.2 or later.
void useTLS_good() { boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); // GOOD // ... } References¶
Common Weakness Enumeration: CWE-326.