Control: SSL/TLS servers should support TLS fallback SCSV for preventing protocol downgrade attacks

Usage

Run the control in your terminal:

steampipe check net_insights.control.ssl_use_tls_fallback_scsv

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.ssl_use_tls_fallback_scsv

net_tls_connection

Params

["github.com","microsoft.com"]

SQL

with domain_list as (
  select
    domain,
    concat(domain, ':443') as address
  from
    jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain
),
tls_connections as (
  select
    address,
    version,
    fallback_scsv_supported
  from
    net_tls_connection
  where
    address in (
      select
        address
      from
        domain_list
    )
    and handshake_completed
),
tls_connection_version_count as (
  select
    address,
    version,
    count(*)
  from
    tls_connections
  group by
    address,
    version
)
select
  d.domain as resource,
  case
    when (
      select
        count(*)
      from
        tls_connection_version_count
      where
        address = d.address
    ) < 2 then 'info'
    when (
      select
        count(*)
      from
        tls_connections
      where
        address = d.address
        and fallback_scsv_supported
    ) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (
      select
        count(*)
      from
        tls_connection_version_count
      where
        address = d.address
    ) < 2 then d.domain || ' requires support for at least 2 protocols.'
    when (
      select
        count(*)
      from
        tls_connections
      where
        address = d.address
        and fallback_scsv_supported
    ) > 0 then d.domain || ' supports TLS fallback SCSV.'
    else d.domain || ' doesn''t support TLS fallback SCSV.'
  end as reason
from
  domain_list as d;