TLS InsecureSkipVerify may be true.
70 MinVersion: minTLSVersion,
71 MaxVersion: maxTLSVersion,
72 ServerName: serverTLSConfig.ServerName,
73 InsecureSkipVerify: serverTLSConfig.InsecureSkipVerify, 74 CurvePreferences: curves,
75 CipherSuites: ciphers,
76 ClientAuth: clientAuth,
TLS InsecureSkipVerify may be true.
156 MinVersion: minTLSVersion,
157 MaxVersion: maxTLSVersion,
158 ServerName: serverTLSConfig.ServerName,
159 InsecureSkipVerify: serverTLSConfig.InsecureSkipVerify,160 CurvePreferences: curves,
161 CipherSuites: ciphers,
162 }
Description
Insecure configuration of TLS connection settings. Refer to the occurrence to understand the exact misconfiguration.
The following configurations are flagged by our systems:
InsecureSkipVerify
set totrue
in TLS config -- https://golang.org/pkg/crypto/tls/#ConfigMinVersion
orMaxVersion
too low.- Bad cipher suite used.
Refer to this compatibility document before making changes -- https://wiki.mozilla.org/Security/ServerSideTLS#Modern_compatibility
Bad practice
// Insecure minimum version
package main
import "crypto/tls"
func main() {
config := &tls.Config{MinVersion: 0}
...
}
Recommended
package main
import "crypto/tls"
func saferTLSConfig() {
config := &tls.Config{}
config.MinVersion = tls.VersionTLS12
config.MaxVersion = tls.VersionTLS13
// (or)
config.MaxVersion = 0 // GOOD: Setting MaxVersion to 0 means that the highest version available in the package will be used.
}