• CodeQL query help documentation »
• CodeQL query help for Swift »

Insecure TLS configuration

ID: swift/insecure-tls
Kind: path-problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-757
Query suites:
   - swift-code-scanning.qls
   - swift-security-extended.qls
   - swift-security-and-quality.qls

Click to see the query in the CodeQL repository

TLS v1.0 and v1.1 versions are known to be vulnerable.

Recommendation

Use tls_protocol_version_t.TLSv12 or tls_protocol_version_t.TLSv13 when configuring URLSession.

Example

Specify a newer tls_protocol_version_t explicitly, or omit it completely as the OS will use secure defaults.

// Set TLS version explicitly
func createURLSession() -> URLSession {
  let config = URLSessionConfiguration.default
  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13
  return URLSession(configuration: config)
}

// Use the secure OS defaults
func createURLSession() -> URLSession {
  let config = URLSessionConfiguration.default
  return URLSession(configuration: config)
}

References

• Apple Platform Security - TLS security Preventing Insecure Network Connections

• Common Weakness Enumeration: CWE-757.

• © GitHub, Inc.
• Terms
• Privacy