Rule Wars
All rules
CA5397Security Enabled by default: No

Do not use deprecated SslProtocols values

Do not use deprecated SslProtocols values

Microsoft docs

Description

Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. For guidance on identifying and removing deprecated protocol versions, see Solving the TLS 1.0 Problem, 2nd Edition.

Cause

This rule fires when either of the following conditions are met:

  • A deprecated System.Security.Authentication.SslProtocols value was referenced.
  • An integer value representing a deprecated value was either assigned to a System.Security.Authentication.SslProtocols variable, used as a System.Security.Authentication.SslProtocols return value, or used as a System.Security.Authentication.SslProtocols argument.

Deprecated values are:

  • Ssl2
  • Ssl3
  • Tls
  • Tls10
  • Tls11

How to fix violations

Don't use deprecated TLS protocol versions.

Example

using System;
using System.Security.Authentication;

public class ExampleClass
{
    public void ExampleMethod()
    {
        // CA5397 violation for using Tls11
        SslProtocols protocols = SslProtocols.Tls11 | SslProtocols.Tls12;
    }
}

using System;
using System.Security.Authentication;

public class ExampleClass
{
    public void ExampleMethod()
    {
        // CA5397 violation
        SslProtocols sslProtocols = (SslProtocols) 768;    // TLS 1.1
    }
}

using System;
using System.Security.Authentication;

public class TestClass
{
    public void Method()
    {
        // Let the operating system decide what TLS protocol version to use.
        // See https://learn.microsoft.com/dotnet/framework/network-programming/tls
        SslProtocols sslProtocols = SslProtocols.None;
    }
}

When to suppress

You can suppress this warning if:

  • The reference to the deprecated protocol version isn't being used to enable a deprecated version.
  • You need to connect to a legacy service that can't be upgraded to use secure TLS configurations.
Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0