turbot/net_insights
Loading controls...

Control: Ensure SSL/TLS servers uses perfect forward secrecy (PFS)

Description

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_use_perfect_forward_secrecy

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_use_perfect_forward_secrecy --share

Steampipe Tables

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

with domain_list as (
select
domain,
concat(domain, ':443') as address
from
jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain
),
check_pfs_cipher as (
select
address,
count(*)
from
net_tls_connection
where
address in (
select
address
from
domain_list
)
and cipher_suite_name in (
'TLS_AES_128_GCM_SHA256',
'TLS_AES_256_GCM_SHA384',
'TLS_CHACHA20_POLY1305_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256'
)
and handshake_completed
group by
address
)
select
d.domain as resource,
case
when i.address is not null
and i.count > 1 then 'ok'
else 'alarm'
end as status,
case
when i.address is not null
and i.count > 1 then d.domain || ' cipher suites provide forward secrecy.'
else d.domain || ' cipher suites do not provide forward secrecy.'
end as reason
from
domain_list as d
left join check_pfs_cipher as i on d.address = i.address;