Use stronger SSL and TLS versions when I use libcurl to connect to the sftp server

Q:When I Use libcurl to connect to the sftp server, SonarQube prompts me to Use stronger SSL and TLS versions at curl_easy_init(), but from what I understand, The libcurl library doesn’t seem to have a way to set the SSH protocol version. How can I avoid this problem?

What language is this for?
C

Which rule?
Weak SSL/TLS protocols should not be usedc:S4423

Why do you believe it’s a false-positive/false-negative?
I use the libcurl library to connect to the SFTP server, so I think there should be other scanning rules to avoid this problem if I can’t set the SSH protocol version

Are you using
SonarQube - Developer Edition v10.6 (92116)

How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
Here is some of the code:

CURL *curl = NULL;
curl = curl_easy_init();
if(curl)
{
	curl_easy_setopt(curl, CURLOPT_URL, remote_file_path_temp);//sftp url
	curl_easy_setopt(curl, CURLOPT_USERPWD, url_key);
	curl_easy_setopt(curl, CURLOPT_USERNAME, user_account_temp);
	curl_easy_setopt(curl, CURLOPT_PASSWORD, user_password_temp);
	curl_easy_setopt(curl, CURLOPT_RANGE, temp_str);
	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
	curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, connect_time);
	curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout);//default: 0  nerver timeout
	curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, my_progress_callback);
	curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, NULL);
	curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
	curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
	curl_easy_setopt(curl, CURLOPT_OPENSOCKETFUNCTION, opensocket);
	curl_easy_setopt(curl, CURLOPT_OPENSOCKETDATA, &sockfd);
	curl_easy_setopt(curl, CURLOPT_CLOSESOCKETFUNCTION, closecb);
	curl_easy_setopt(curl, CURLOPT_CLOSESOCKETDATA, &sockfd);
}

Hi @Vincent.W,

Thanks for reaching out to us.

You should be able to add the following line curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); to your set-up to select a secure protocol.

Can you check if this already solves your problem and the issue reported by Sonar?

Thanks.

Philipp

HI Philipp
Thanks for your reply.

According to your suggestion,I have tried to add curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
But it doesn’t seem to work, and here’s the image with the error:

Looking forward to your reply again.
THX.

Vincent.