Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.
Description
curl
's versions of SSL/TLS protocols and cypher suites must be chosen carrefuly.
Impact
Changing SSL/TLS configuration at runtime may lead to security miscofiguration :
- Deprecated protocol version :
- CURL_SSLVERSION_SSLv2
- CURL_SSLVERSION_SSLv3
- CURL_SSLVERSION_TLSv1
- CURL_SSLVERSION_TLSv1_0
- CURL_SSLVERSION_TLSv1_1
- Weak or broken cipher suites :
- To be determined. It may be safer to keep
curl
's default configuration.
- To be determined. It may be safer to keep
Noncompliant Code Example
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, "AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5")
Compliant Solution
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
References
- MITRE CWE-327 - Inadequate Encryption Strength
- MITRE CWE-326 - Use of a Broken or Risky Cryptographic Algorithm
- OWASP Top 10 2017 Category A6 - Security Misconfiguration
Type
Vulnerability
Tags
cwe, owasp-a6