Java Allows Tls1 1
Description
Detects insecure TLS configurations in Java applications that explicitly allow TLS 1.1. TLS 1.1 is cryptographically weak and has been deprecated since March 2021. Using TLS 1.1 can expose applications to known vulnerabilities and man-in-the-middle attacks.
Detection Strategy
• Identifies Java code where TLS versions are being configured through the 'tlsVersions' setting
• Examines the specific TLS version values being set in the configuration
• Reports a vulnerability when TLS 1.1 is explicitly allowed or enabled in the configuration
• Focuses on security configuration code that sets up TLS protocols for network communications
Vulnerable code example
import okhttp3.ConnectionSpec;
import okhttp3.TlsVersion;
public class InsecureConnection {
private static final String TLS_1_1 = TlsVersion.TLS_1_1;
public void configureTls() {
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)...✅ Secure code example
import okhttp3.ConnectionSpec;
import okhttp3.TlsVersion;
public class SecureConnection {
private static final String TLS_1_2 = TlsVersion.TLS_1_2; // Using secure TLS 1.2 version
public void configureTls() {
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.