Java Insecure Tls Protocol
Description
Detects the use of unspecified TLS protocol version in Java SSL/TLS configurations using SSLContext.getInstance("TLS"). This is potentially insecure as it may fall back to older, vulnerable TLS versions instead of explicitly using secure versions like TLS 1.2 or 1.3.
Detection Strategy
• Identifies calls to SSLContext.getInstance() method with various qualified names (javax.net.ssl.SSLContext, net.ssl.SSLContext, etc.)
• Checks if the first argument to getInstance() is exactly the string 'TLS' without version specification
• Reports a vulnerability when an SSLContext is initialized with generic 'TLS' protocol instead of a specific secure version
Vulnerable code example
import javax.net.ssl.SSLContext;
public void configureSSL() {
try {
// Vulnerable: Using unspecified "TLS" allows weak protocol versions
SSLContext context = SSLContext.getInstance("TLS");
} catch (Exception e) {
// Error handling...✅ Secure code example
import javax.net.ssl.SSLContext;
public void configureSSL() {
try {
// Secure: Explicitly using TLSv1.3 which is the latest and most secure TLS version
SSLContext context = SSLContext.getInstance("TLSv1.3");
} catch (Exception e) {
// Error handling...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.