boost::asio TLS settings misconfiguration — CodeQL query help documentation CodeQL docs

CodeQL resources

boost::asio TLS settings misconfiguration¶

ID: cpp/boost/tls-settings-misconfiguration
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-326
Query suites:
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols may expose the software to known vulnerabilities or permit weak encryption algorithms to be used. Disabling the minimum-recommended protocols is also flagged.

Recommendation¶

When using the TLS or SSLv23 protocol, set the no_tlsv1 and no_tlsv1_1 options, but do not set no_tlsv1_2. When using the SSLv23 protocol, also set the no_sslv3 option.

Example¶

In the following example, the no_tlsv1_1 option has not been set. Use of TLS 1.1 is not recommended.

void useTLS_bad()
{
	boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
	ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1

	// ...
}

In the corrected example, the no_tlsv1 and no_tlsv1_1 options have both been set, ensuring the use of TLS 1.2 or later.

void useTLS_good()
{
	boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
	ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); // GOOD

	// ...
}

References¶

Boost.Asio documentation.
Common Weakness Enumeration: CWE-326.

© GitHub, Inc.
Terms
Privacy