CWE-295 Insecure TLS/SSL Configuration

Description

Insecure TLS/SSL Configuration

Reference: https://cwe.mitre.org/data/definitions/295.html

OWASP Category: A02:2021 – Cryptographic Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: TrustManager that accepts ALL certificates
TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] certs, String authType) {}
        public void checkServerTrusted(X509Certificate[] certs, String authType) {}  // EMPTY!
        public X509Certificate[] getAcceptedIssuers() { return null; }
    }
};
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new SecureRandom());

// VULNERABLE: HostnameVerifier that accepts all
HostnameVerifier allHostsValid = (hostname, session) -> true;  // DANGEROUS!

Why it's vulnerable: This pattern is vulnerable to Insecure TLS/SSL Configuration

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use default system trust store
SSLContext sc = SSLContext.getDefault();

// Or create with default TrustManager
SSLContext sc = SSLContext.getInstance("TLSv1.3");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
    TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);  // Uses default system trust store
sc.init(null, tmf.getTrustManagers(), new SecureRandom());

// SECURE: Use default hostname verifier
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier());

// If custom trust store needed, load it properly
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("truststore.jks"), "password".toCharArray());
tmf.init(trustStore);

Why it's secure: Implements proper protection against Insecure TLS/SSL Configuration

---

Detection Pattern

Look for these patterns in your codebase:

# Find custom TrustManagers
grep -rn "X509TrustManager\\|checkServerTrusted" --include="*.java"

# Find HostnameVerifier overrides
grep -rn "HostnameVerifier.*->.*true" --include="*.java"

---

Remediation Steps

1. Remove custom TrustManagers with empty check methods

2. Use SSLContext.getDefault() for standard TLS

3. Use TLSv1.2 or TLSv1.3 (never SSLv3 or TLSv1.0)

4. Keep default HostnameVerifier

---

Key Imports

import javax.net.ssl.SSLContext;

import javax.net.ssl.TrustManagerFactory;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-295 vulnerability
Resolve Insecure TLS/SSL Configuration issue
Secure this Java code against insecure tls/ssl configuration
SAST reports CWE-295

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-295: Improper Certificate Validation

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07