Loading controls...
Control: SSL/TLS servers should support TLS fallback SCSV for preventing protocol downgrade attacks
Description
A Signaling Cipher Suite Value (SCSV) helps in preventing protocol downgrade attacks on the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. If enabled, the server makes sure that the strongest protocol that both client and server understand is used. It is recommended that the server should support more than 1 protocol version, excluding SSL v2.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.ssl_use_tls_fallback_scsvSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.ssl_use_tls_fallback_scsv --shareSteampipe Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | domain_names | | DNS domain names. |
SQL
with domain_list as ( select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain),tls_connections as ( select address, version, fallback_scsv_supported from net_tls_connection where address in ( select address from domain_list ) and handshake_completed),tls_connection_version_count as ( select address, version, count(*) from tls_connections group by address, version)select d.domain as resource, case when ( select count(*) from tls_connection_version_count where address = d.address ) < 2 then 'info' when ( select count(*) from tls_connections where address = d.address and fallback_scsv_supported ) > 0 then 'ok' else 'alarm' end as status, case when ( select count(*) from tls_connection_version_count where address = d.address ) < 2 then d.domain || ' requires support for at least 2 protocols.' when ( select count(*) from tls_connections where address = d.address and fallback_scsv_supported ) > 0 then d.domain || ' supports TLS fallback SCSV.' else d.domain || ' doesn''t support TLS fallback SCSV.' end as reasonfrom domain_list as d;