Insecure TLS configuration¶

ID: swift/insecure-tls
Kind: path-problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-757
Query suites:
   - swift-code-scanning.qls
   - swift-security-extended.qls
   - swift-security-and-quality.qls

Click to see the query in the CodeQL repository

TLS v1.0 and v1.1 versions are known to be vulnerable.

Recommendation¶

Use tls_protocol_version_t.TLSv12 or tls_protocol_version_t.TLSv13 when configuring URLSession.

Example¶

Specify a newer tls_protocol_version_t explicitly, or omit it completely as the OS will use secure defaults.

// Set TLS version explicitly
func createURLSession() -> URLSession {
  let config = URLSessionConfiguration.default
  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13
  return URLSession(configuration: config)
}

// Use the secure OS defaults
func createURLSession() -> URLSession {
  let config = URLSessionConfiguration.default
  return URLSession(configuration: config)
}

References¶

Apple Platform Security - TLS security Preventing Insecure Network Connections
Common Weakness Enumeration: CWE-757.

© GitHub, Inc.
Terms
Privacy