Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3cd545d

Browse files
geoffw0geoffw0
committed
CPP: Recommendation and example for TlsSettingsMisconfiguration.qhelp.
1 parent 794a3de commit 3cd545d

3 files changed

Lines changed: 27 additions & 0 deletions

File tree

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qhelp

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,17 @@
66
<p>Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols may expose the software to known vulnerabilities or permit weak encryption algorithms to be used. Disabling the minimum-recommended protocols is also flagged.</p>
77
</overview>
88

9+
<recommendation>
10+
<p>When using the TLS or SSLv23 protocol, set the <code>SSL_OP_NO_TLSv1</code> and <code>SSL_OP_NO_TLSv1_1</code> options, but do not set <code>SSL_OP_NO_TLSv1_2</code>. When using the SSLv23 protocol, also set the <code>SSL_OP_NO_SSLv3</code> option.</p>
11+
</recommendation>
12+
13+
<example>
14+
<p>In the following example, the <code>no_tlsv1_1</code> option has not been set. Use of TLS 1.1 is not recommended.</p>
15+
<sample src="TlsSettingsMisconfigurationBad.cpp"/>
16+
<p>In the corrected example, the <code>no_tlsv1</code> and <code>no_tlsv1_1</code> options have both been set, ensuring the use of TLS 1.2 or later.</p>
17+
<sample src="TlsSettingsMisconfigurationGood.cpp"/>
18+
</example>
19+
920
<references>
1021
<li>
1122
<a href="https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio.html">Boost.Asio documentation</a>.

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfigurationBad.cpp

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
2+
void useTLS_bad()
3+
{
4+
boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
5+
ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1
6+
7+
// ...
8+
}

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfigurationGood.cpp

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
2+
void useTLS_good()
3+
{
4+
boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
5+
ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); // GOOD
6+
7+
// ...
8+
}

0 commit comments

Comments
 (0)