cwe-295-insecure-tls-trust-manager - SKILL.md Agent Skill

name: cwe-295-insecure-tls-trust-manager description: Use this skill when you need to remediate CWE-295 (Insecure TLS/SSL Configuration) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing insecure tls/ssl configuration issues. version: 1.0.0 license: MIT tags:

security
java
cwe-295
remediation
sast

CWE-295 Insecure TLS/SSL Configuration

Description

Insecure TLS/SSL Configuration

Reference: https://cwe.mitre.org/data/definitions/295.html

OWASP Category: A02:2021 – Cryptographic Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: TrustManager that accepts ALL certificates
TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] certs, String authType) {}
        public void checkServerTrusted(X509Certificate[] certs, String authType) {}  // EMPTY!
        public X509Certificate[] getAcceptedIssuers() { return null; }
    }
};
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new SecureRandom());

// VULNERABLE: HostnameVerifier that accepts all
HostnameVerifier allHostsValid = (hostname, session) -> true;  // DANGEROUS!

Why it's vulnerable: This pattern is vulnerable to Insecure TLS/SSL Configuration

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use default system trust store
SSLContext sc = SSLContext.getDefault();

// Or create with default TrustManager
SSLContext sc = SSLContext.getInstance("TLSv1.3");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
    TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);  // Uses default system trust store
sc.init(null, tmf.getTrustManagers(), new SecureRandom());

// SECURE: Use default hostname verifier
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier());

// If custom trust store needed, load it properly
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("truststore.jks"), "password".toCharArray());
tmf.init(trustStore);

Why it's secure: Implements proper protection against Insecure TLS/SSL Configuration

Detection Pattern

Look for these patterns in your codebase:

# Find custom TrustManagers
grep -rn "X509TrustManager\\|checkServerTrusted" --include="*.java"

# Find HostnameVerifier overrides
grep -rn "HostnameVerifier.*->.*true" --include="*.java"

Remediation Steps

Remove custom TrustManagers with empty check methods
Use SSLContext.getDefault() for standard TLS
Use TLSv1.2 or TLSv1.3 (never SSLv3 or TLSv1.0)
Keep default HostnameVerifier

Key Imports


import javax.net.ssl.SSLContext;

import javax.net.ssl.TrustManagerFactory;

Verification

After remediation:

Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code

Trigger Examples

Fix CWE-295 vulnerability
Resolve Insecure TLS/SSL Configuration issue
Secure this Java code against insecure tls/ssl configuration
SAST reports CWE-295

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

CWE-295: Improper Certificate Validation

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07