medium
M5
MASVS-NETWORK-1
dynamic analysis
PTKD-DYN-WEAKTLS
Weak TLS version negotiated at runtime
A connection negotiated SSL or TLS 1.0/1.1, which are deprecated and vulnerable.
How it's exploited
A connection negotiated TLS 1.0/1.1 (or SSL) at runtime. These versions have practical downgrade and decryption attacks and are widely deprecated.
Why it matters
Sessions to that host can be degraded and attacked with published techniques.
How to fix it
- Fix the server first: disable TLS < 1.2 on the endpoint.
- Set minimum TLS 1.2 in the client socket/OkHttp/ATS configuration so weak negotiation cannot recur.
References