CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Insecure TLS / SSL

security CWE-326 OWASP A2:2021 CVSS 7.4 PHP 5.0+ Intermediate
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list specialist external tools — ssllabs, testssl.sh, owasp-zap, nmap — none of which are default linters or compilers. These require deliberate invocation against a running server, placing detection firmly in specialist-tool territory rather than automatic IDE/linter feedback.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is a targeted web server config change: set minimum TLS 1.2, disable weak versions and cipher suites. This is a small, localised configuration update, not a one-liner swap (e1) but also not a multi-file refactor. PHP-side mistakes like CURLOPT_SSL_VERIFYPEER=false are individual call-site fixes, also e1–e3 range, keeping overall effort at e3.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The misconfiguration primarily lives in web server config (Nginx/Apache) and individual curl call-sites, scoped to the web context. It imposes a compliance/audit burden and requires periodic re-checks as TLS standards evolve, but it does not reshape the broader application architecture or slow down unrelated work streams.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field states exactly: developers believe 'any HTTPS connection is equally secure.' This directly contradicts the reality that TLS 1.0/1.1 and weak cipher suites leave HTTPS open to downgrade and interception. The trap is especially dangerous because CURLOPT_SSL_VERIFYPEER=false and self-signed cert workarounds feel like reasonable developer shortcuts but silently defeat all certificate validation — a contradiction with how the concept is named and presented.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-08 · reviewed by human

Also Known As

weak TLS SSL misconfiguration deprecated TLS version

TL;DR

Use of deprecated SSL/TLS versions or weak cipher suites exposes encrypted traffic to interception or decryption attacks.

Explanation

Insecure TLS configurations include using deprecated protocols (SSL 3.0, TLS 1.0, TLS 1.1), weak cipher suites (RC4, DES, 3DES, export-grade ciphers), short key lengths, or disabling certificate validation. These weaknesses can allow attackers to downgrade connections, exploit known protocol flaws like POODLE or BEAST, or perform man-in-the-middle attacks. PHP applications should enforce TLS 1.2+ in cURL and stream contexts, validate peer certificates, and follow Mozilla's SSL Configuration Generator recommendations.

Common Misconception

Any HTTPS connection is equally secure. TLS 1.0 and 1.1 have known protocol weaknesses. Weak cipher suites and missing HSTS leave "HTTPS" sites open to downgrade and interception attacks.

Why It Matters

Weak TLS configuration allows active attackers to intercept, read, or modify encrypted traffic — defeating the purpose of HTTPS entirely.

Common Mistakes

  • Setting CURLOPT_SSL_VERIFYPEER to false in curl calls — disables all certificate validation.
  • Leaving TLS 1.0/1.1 enabled on the server — both are deprecated and vulnerable to downgrade attacks.
  • Using self-signed certificates in production without adding them to the trust store — developers disable verification instead.
  • Cipher suites that include NULL, RC4, or export-grade encryption — negotiated in downgrade attacks.

Code Examples

✗ Vulnerable 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
✓ Fixed 
// Never disable peer verification; set a trusted CA bundle instead:
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');
Added 15 Mar 2026
Edited 22 Mar 2026
Views 31

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 2 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S
Agents 1
No pings yesterday
Amazonbot 9 Perplexity 7 SEMrush 3 Ahrefs 2 ChatGPT 2 Majestic 1 Google 1
Also referenced
Sensitive Data Exposure 32 Weak Cryptography 29 Man-in-the-Middle Attack (MitM) 29
How they use it
crawler 24 crawler_json 1
Related categories
security 4.3k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Set minimum TLS 1.2 in your web server config; disable TLS 1.0/1.1 and weak cipher suites; verify TLS configuration with SSL Labs (ssllabs.com/ssltest)
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Nginx/Apache config allowing TLS 1.0 or 1.1; weak cipher suites including RC4 DES 3DES; no HSTS header
Auto-detectable: ✓ Yes ssllabs testssl.sh owasp-zap nmap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-326 CWE-295 CWE-327
✓ schema.org compliant