javax.net.ssl.SSLContext.getInstance returns a SSLContext object that implements the specified secure socket protocol. However, older protocol versions like "SSLv3" have been proven to be insecure.

This rule raises an issue when an SSLContext is created with an insecure protocol version (ie: a protocol different from "TLS", "DTLS", "TLSv1.2", "DTLSv1.2", "TLSv1.3", "DTLSv1.3").

The recommended value is "TLS" or "DTLS" as it will always use the latest version of the protocol. However an issue will be raised if the bytecode was compiled with JDK7 or an even older version of JDK because they are not alias for "TLSv1.2" and "DTLSv1.2" but for weaker protocols.

Note that calling SSLContext.getInstance(...) with "TLSv1.2" or "DTLSv1.2" doesn't prevent protocol version negotiation. For example, if a client connects with "TLSv1.1" and the server used SSLContext.getInstance("TLSv1.2"), the connection will use "TLSv1.1". It is possible to enable only specific protocol versions by calling setEnabledProtocols on SSLSocket, SSLServerSocket or SSLEngine. However this should be rarely needed as clients usually ask for the most secure protocol supported.

Noncompliant Code Example

context = SSLContext.getInstance("SSLv3"); // Noncompliant

Compliant Solution

context = SSLContext.getInstance("TLSv1.2");

See