Java Insecure Ssl Protocol
Description
Detects the configuration of insecure SSL/TLS protocols in Java applications through SSLEngine. Using deprecated or weak SSL/TLS protocols (like SSLv3, TLS 1.0) can expose applications to known vulnerabilities and make encrypted communications susceptible to attacks.
Detection Strategy
• Identifies calls to setEnabledProtocols() method on SSLEngine objects
• Checks if the protocols being enabled include insecure versions (like SSLv3, TLS 1.0)
• Verifies the object is an instance of SSLEngine to ensure protocol configuration context
• Reports a vulnerability when weak/deprecated SSL protocols are explicitly enabled in the configuration
Vulnerable code example
import javax.net.ssl.SSLContext;
public class Vulnerable {
private static final String PROTOCOL = "TLSv1"; // Insecure: Using deprecated TLSv1 protocol
public void configureSSL() {
SSLContext context = SSLContext.getInstance(PROTOCOL);
context.init(null, null, null);...✅ Secure code example
import javax.net.ssl.SSLContext;
public class Secure {
private static final String PROTOCOL = "TLSv1.2"; // Secure: Using recommended TLS version
public void configureSSL() throws Exception {
SSLContext context = SSLContext.getInstance(PROTOCOL);
// Initialize with proper key managers, trust managers and secure random...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.