Control: SSL/TLS servers should avoid using insecure protocols

Description

There are six protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3. It is recommended to use secure protocols (i.e. TLS v1.2 or TLS v1.3), since these versions offers modern authenticated encryption, improved latency and don't have obsolete features like cipher suites. TLS v1.0 and TLS v1.1 are legacy protocol and shouldn't be used.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_use_secure_protocol

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_use_secure_protocol --share

Steampipe Tables

net_tls_connection

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

with domain_list as (
  select
    domain,
    concat(domain, ':443') as address
  from
    jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain
),
check_insecure_protocol as (
  select
    address,
    count(*)
  from
    net_tls_connection
  where
    address in (
      select
        address
      from
        domain_list
    )
    and version in ('TLS v1.0', 'TLS v1.1')
    and handshake_completed
  group by
    address
)
select
  d.domain as resource,
  case
    when i.address is null
    or i.count < 1 then 'ok'
    else 'alarm'
  end as status,
  case
    when i.address is null
    or i.count < 1 then d.domain || ' doesn''t support insecure protocols.'
    else d.domain || ' supports insecure protocols.'
  end as reason
from
  domain_list as d
  left join check_insecure_protocol as i on d.address = i.address;