Home / Vulnerability Database / Scala : Unsafe SSL configuration
Scala
Scala : Unsafe SSL configuration
Classification
OWASP Top 10 2013
OWASP Mobile Top 10 2016
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
HIPAA
CWE/SANS Top 25 2021
Overview
SSL connection uses insecure settings. The established connection is insecure and can cause a compromise of valuable data.
In Java applications constants that denote the cipher suite are used to set the parameters of SSL connection. Many cipher suits are insecure, obsolete or artificially weakened due to export restrictions. Some secure cipher suites:
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
In the Play Framework the SSLLooseConfig class is used to create a potentially insecure SSL connection for testing purposes. The true values for the following parameter makes the connection insecure: acceptAnyCertificate, allowWeakCiphers, disableHostnameVerification, allowWeakProtocols, allowUnsafeRenegotiation. Do not use SSLLooseConfig in real applications.
References
- Java Cryptography Architecture Oracle Providers - docs.oracle.com
- Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment? - security.stackexchange.com
- Which Cipher Suites to enable for SSL Socket? - stackoverflow.com
- Good list of weak cipher suites for Java - stackoverflow.com
- SSLLooseConfig - playframework.com
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- Transport Layer Security (TLS) Parameters
MEDIUM
DerScanner Severity Score
Do you want to fix Scala : Unsafe SSL configuration in your application?
See also
Scala
Scala : Unreleased resource stream
Scala
Scala : Multiple loggers in same class
Scala