Mods

turbot/net_insights

GitHub
Overview
7Dashboards
53Controls
26Queries
2Variables
GitHub
Loading controls...
On This Page
Description
Usage
Plugins & Tables
Params
SQL
Get Involved
Edit on GitHub
Discuss on Slack

Control: SSL/TLS servers should avoid using insecure protocols

Description

There are six protocols in the SSL/TLS family: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3. It is recommended to use secure protocols (i.e. TLS v1.2 or TLS v1.3), since these versions offers modern authenticated encryption, improved latency and don't have obsolete features like cipher suites. TLS v1.0 and TLS v1.1 are legacy protocol and shouldn't be used.

Usage

Run the control in your terminal:

steampipe check net_insights.control.ssl_use_secure_protocol

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.ssl_use_secure_protocol

Plugins & Tables

net_tls_connection
Net plugin

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

with domain_list as (
  select
    domain,
    concat(domain, ':443') as address
  from
    jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain
),
check_insecure_protocol as (
  select
    address,
    count(*)
  from
    net_tls_connection
  where
    address in (
      select
        address
      from
        domain_list
    )
    and version in ('TLS v1.0', 'TLS v1.1')
    and handshake_completed
  group by
    address
)
select
  d.domain as resource,
  case
    when i.address is null
    or i.count < 1 then 'ok'
    else 'alarm'
  end as status,
  case
    when i.address is null
    or i.count < 1 then d.domain || ' doesn''t support insecure protocols.'
    else d.domain || ' supports insecure protocols.'
  end as reason
from
  domain_list as d
  left join check_insecure_protocol as i on d.address = i.address;