DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Potentially bad TLS connection settings GSC-G402

Security
Major
 a05 a02 cwe-295 sans top 25 owasp top 10

Insecure configuration of TLS connection settings. Refer to the occurrence to understand the exact misconfiguration.

The following configurations are flagged by our systems:

  • InsecureSkipVerify set to true in TLS config -- https://golang.org/pkg/crypto/tls/#Config
  • MinVersion or MaxVersion too low.
  • Bad cipher suite used.

Refer to this compatibility document before making changes -- https://wiki.mozilla.org/Security/ServerSideTLS#Modern_compatibility

Bad practice

// Insecure minimum version
package main

import "crypto/tls"

func main() {
    config := &tls.Config{MinVersion: 0}
    ...
}

Recommended

package main

import "crypto/tls"

func saferTLSConfig() {
    config := &tls.Config{}
    config.MinVersion = tls.VersionTLS12
    config.MaxVersion = tls.VersionTLS13
    // (or)
    config.MaxVersion = 0 // GOOD: Setting MaxVersion to 0 means that the highest version available in the package will be used.
}

References