Curl SSL/TLS configuration should be chosen carefully

php

(Pierre-Loup Tristant) #1

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
curl's versions of SSL/TLS protocols and cypher suites must be chosen carrefuly.

Impact
Changing SSL/TLS configuration at runtime may lead to security miscofiguration :

  • Deprecated protocol version :
    • CURL_SSLVERSION_SSLv2
    • CURL_SSLVERSION_SSLv3
    • CURL_SSLVERSION_TLSv1
    • CURL_SSLVERSION_TLSv1_0
    • CURL_SSLVERSION_TLSv1_1
  • Weak or broken cipher suites :
    • To be determined. It may be safer to keep curl's default configuration.

Noncompliant Code Example

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, "AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5")

Compliant Solution

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

References

Type
Vulnerability

Tags
cwe, owasp-a6


(Alexandre Gigleux) #2

Thanks for the suggestion @Pierre-Loup.

I decided to extend the rule S4423 to cover the case of curl_setopt.

Here is the implementation ticket: https://jira.sonarsource.com/browse/SONARPHP-825

Note:
I’ve just noticed that “Noncompliant Code Example” and “Compliant Solution” are wrong here so I fixed https://jira.sonarsource.com/browse/RSPEC-4715 so that it is corrected next time we do a release of SonarPHP.

Regards


(Pierre-Loup Tristant) #3

Rule as been added to sonarPHP.


(Pierre-Yves Nicolas) #4

Thanks a lot for your contribution @Pierre-Loup!