Rule Wars
All rules
CA5398Security Enabled by default: No

Avoid hardcoded SslProtocols values

Avoid hardcoded SslProtocols values

Microsoft docs

Description

Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, TLS 1.2 and TLS 1.3 may be deprecated. To ensure that your application remains secure, avoid hardcoding a protocol version. For more information, see Transport Layer Security (TLS) best practices with .NET Framework.

Cause

This rule fires when either of the following conditions are met:

  • A safe but hardcoded System.Security.Authentication.SslProtocols value was referenced.
  • An integer value representing a safe protocol version was either assigned to a System.Security.Authentication.SslProtocols variable, used as a System.Security.Authentication.SslProtocols return value, or used as a System.Security.Authentication.SslProtocols argument.

Safe values are:

  • Tls12
  • Tls13

How to fix violations

Don't hardcode TLS protocol versions.

Example

using System;
using System.Security.Authentication;

public class ExampleClass
{
    public void ExampleMethod()
    {
        // CA5398 violation
        SslProtocols sslProtocols = SslProtocols.Tls12;
    }
}

using System;
using System.Security.Authentication;

public class ExampleClass
{
    public SslProtocols ExampleMethod()
    {
        // CA5398 violation
        return (SslProtocols) 3072;    // TLS 1.2
    }
}

using System;
using System.Security.Authentication;

public class TestClass
{
    public void Method()
    {
        // Let the operating system decide what TLS protocol version to use.
        // See https://learn.microsoft.com/dotnet/framework/network-programming/tls
        SslProtocols sslProtocols = SslProtocols.None;
    }
}

When to suppress

It's safe to suppress a warning if you need to connect to a legacy service that can't be upgraded to use future TLS protocol versions.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0