Insecure TLS configuration¶
ID: swift/insecure-tlsKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-757Query suites: - swift-code-scanning.qls - swift-security-extended.qls - swift-security-and-quality.qls
Click to see the query in the CodeQL repository
TLS v1.0 and v1.1 versions are known to be vulnerable.
Recommendation¶
Usetls_protocol_version_t.TLSv12 ortls_protocol_version_t.TLSv13 when configuringURLSession.
Example¶
Specify a newertls_protocol_version_t explicitly, or omit it completely as the OS will use secure defaults.
// Set TLS version explicitlyfunccreateURLSession()->URLSession{letconfig=URLSessionConfiguration.defaultconfig.tlsMinimumSupportedProtocolVersion=tls_protocol_version_t.TLSv13returnURLSession(configuration:config)}// Use the secure OS defaultsfunccreateURLSession()->URLSession{letconfig=URLSessionConfiguration.defaultreturnURLSession(configuration:config)}
References¶
Apple Platform Security - TLS securityPreventing Insecure Network Connections
Common Weakness Enumeration:CWE-757.