search

silkimen / cordova-plugin-advanced-http

Cordova / Phonegap plugin for communicating with HTTP servers. Allows for SSL pinning!
MIT License
391 stars 313 forks source link

TLSConfiguration.java #483

Closed vivekananda8909 closed 11 months ago

vivekananda8909 commented 1 year ago

@silkimen

We are using Veracode to find security vulnerabilities in our app. We got one issue "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')".

I followed the steps which you suggested in #423

, but no luck

Can you suggest any other alternate to fix Veracode scan issue.

Please find the screen shot for you reference.

Screen Shot 2022-10-20 at 9 53 42 AM
silkimen commented 1 year ago

Not sure, but this looks like a false positive to me. Because line 47 is only applying the cached socket factory. It doesn't change any security related stuff.

The socket factory is created in line 55. That's also where the blacklist is applied. You can check the 'TLSSocketFactory.Java' class. The given blacklisted names will be filtered from enabled protocols.

vivekananda8909 commented 1 year ago

@silkimen

Thanks for the quick response. Anything you can also help us or confirm about these low priority flaws. These are in HttpRequest.java

Thanks in advance

Screen Shot 2022-10-26 at 4 32 47 PM Screen Shot 2022-10-26 at 4 32 47 PM
silkimen commented 11 months ago

Please use StackOverflow for this kind of questions.