boost::asio use of deprecated hardcoded protocol¶

ID: cpp/boost/use-of-deprecated-hardcoded-security-protocol
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-327
Query suites:
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Using boost::asio library but specifying a deprecated hardcoded protocol.

Recommendation¶

Only use modern protocols such as TLS 1.2 or TLS 1.3.

Example¶

In the following example, the sslv2 protocol is specified. This protocol is out of date and its use is not recommended.

void useProtocol_bad()
{
	boost::asio::ssl::context ctx_sslv2(boost::asio::ssl::context::sslv2); // BAD: outdated protocol

	// ...
}

In the corrected example, the tlsv13 protocol is used instead.

void useProtocol_good()
{
	boost::asio::ssl::context cxt_tlsv13(boost::asio::ssl::context::tlsv13);

	// ...
}

References¶

Boost.Asio documentation.
Common Weakness Enumeration: CWE-327.

© GitHub, Inc.
Terms
Privacy