New Rule: Detect usage of old SSL implementations in the Security Manager

[jessehouwing]

https://stackoverflow.com/a/28333370/736079

And for .NET 4.5.2 tell people to turn on TLS1.2, as it's turned off by default.

[h3xstream]

I have a big dilemma ..

• Should we expect that this settings be define before every connections.
• Somewhere in the initialization.. I am not sure how this could be done..

[jessehouwing]

I'd make it to detect the explicit enablement of old standards.

It would be nice to detect non-enablement of tls12 in Net prior to 4.5.2, but as tls12 is enabled by default in 4.6 and up, it's not too bad.

On Aug 18, 2017 22:17, "Philippe Arteau" [email protected] wrote:

I have a big dilemma ..

• Should we expect that this settings be define before every connections.
• Somewhere in the initialization..

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dotnet-security-guard/roslyn-security-guard/issues/81#issuecomment-323451027, or mute the thread https://github.com/notifications/unsubscribe-auth/AD-uSyG3zVrCVSIZUa0ClGoDN6K7mqnTks5sZfFCgaJpZM4OMYeJ .

[h3xstream]

Thanks for the precision. I'll check if I can detect the target version of the project.

[jessehouwing]

The older projects should be easily detectable by the presence of the TLS12 enum value. Basically it's recommended to not enable anything below TLS11

[jessehouwing]

Microsoft has actually released a nice doc with good and bad pracices: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

[h3xstream]

For reference this issue was move to https://github.com/security-code-scan/security-code-scan/issues/10 as Security Guard is no longer active.