This rule raises an issue when an insecure TLS protocol version is used (ie: a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2" or "DTLSv1.3").

Noncompliant Code Example

javax.net.ssl.SSLContext library:

context = SSLContext.getInstance("TLSv1.1"); // Noncompliant

okhttp library:

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
      .tlsVersions(TlsVersion.TLS_1_1) // Noncompliant
      .build();

Compliant Solution

javax.net.ssl.SSLContext library:

context = SSLContext.getInstance("TLSv1.2"); // Compliant

okhttp library:

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
      .tlsVersions(TlsVersion.TLS_1_2) // Compliant
      .build();

See