Sonarqube Version 6.7.5 (build 38563) (community edition I think) has contradicting rules:
https://t.co/OMXZ34eSje from “FindBugs Security Audit” and https://t.co/OMXZ34eSje from “Sonar way”.
SSLContext.getInstance("TLS");
is ok for the former, but not the latter.
The latter is wrong BTW.
RSPEC-4423 is misleading. Selection of SSLContext does not determine the protocol version that is negotiated. In JDK8 the SSLContext “TLS” is an alias for “TLSv1.2”. The only way to constrain the negotiated protocol version is to set the enabled cipher suites via the SSLEngine.
As an example:
clientSslContext = SSLContext.getInstance("TLSv1.2");
serverSslContext = SSLContext.getInstance("TLS");
serverEngine = serverSslContext.createSSLEngine();
serverEngine.setEnabledProtocols(new String[] { "TLSv1" });
Given the above client/server SSL configs, the client will send a TLSv1.2 hello message. The server will respond with a TLSv1.0 hello, and the two will end up using TLSv1.0 along with its weaker cipher suites.
Changing the client to use SSLContext.getInstance(“TLS”) has no impact on the handshake, since “TLS” is an alias for “TLSv1.2” in JDK8.
This rule is actually quite dangerous because the suggested fix leads to a false sense of increased security.