Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[False Positive] A hard-coded TLS version ought to be fine, if it sets a lower bound

See original GitHub issue

Rule ID

DS440000 Generic: Do not hardcode SSL/TLS versions within an application.

What the rule matched

curl \
  --tlsv1.3 \
  https://localhost/

Why should this not be matched?

The man page for curl 7.86.0 is clear:

–tlsv1.3 (TLS) Forces curl to use TLS version 1.3 or later when connecting to a remote TLS server.

Issue Analytics

  • State:closed
  • Created 9 months ago
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
sanmai-NLcommented, Feb 1, 2023

@gfs You mean --tlsv1.3, right?

1reaction
gfscommented, Jan 31, 2023

I have an updated version of this rule that will allow --tls1.3. Thanks for the report. #450 will close this.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Solving the TLS 1.0 Problem - Security documentation
Hardcoding here means that the TLS version is fixed to a version that is outdated and less secure than newer versions. TLS versions...
Read more >
TLS 1.0 False Positive? or True Positive? : r/AskNetsec
Is this a false positive? I believe it is, since the SSL handshake isn't fully complete. This is the result I get when...
Read more >
Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and ...
NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework applications should use the TLS version ...
Read more >
Defaulting Your System to use TLS 1.2 for .NET Applications
Solution using Powershell · Open Powershell and check for supported protocols by using [Net. · Run the following 2 cmdlets to set ....
Read more >
Server hostnames should be verified during SSL/TLS ...
This vulnerability allows attackers to impersonate a trusted host.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[False Positive] HTTP request to localhost

Next page

extension no longer loads in VS2019 after PR #331