turbot/net

GitHub
steampipe plugin install netsteampipe plugin install net

Table: net_tls_connection

Test a TLS connection to the given network address (e.g., steampipe.io:443) by initiating a TLS handshake. This table checks connections for all possible TLS protocol-cipher combinations and returns the combinations for which a TLS connection could be established.

Note: An address of the format domain:port (e.g., steampipe.io:443) must be provided.

You can also provide a protocol version and/or cipher suite to verify specific TLS connection requirements. For example:

select
*
from
net_tls_connection
where
address = 'steampipe.io:443'
and version = 'TLS v1.3'
and cipher_suite_name = 'TLS_AES_128_GCM_SHA256';

Notes:

  • SSL protocols (e.g. SSL v3 and SSL v2) are not supported by this table.
  • This table supports a limited set of cipher suites, as defined by the TLS package.

Examples

List all supported protocols and cipher suites for which a TLS connection could be established

select
address,
version,
cipher_suite_name,
handshake_completed
from
net_tls_connection
where
address = 'steampipe.io:443'
and handshake_completed;

Check TLS handshake with a certain protocol and cipher suite

select
address,
version,
cipher_suite_name,
handshake_completed
from
net_tls_connection
where
address = 'steampipe.io:443'
and version = 'TLS v1.3'
and cipher_suite_name = 'TLS_AES_128_GCM_SHA256';

Check if a server allows connections with an insecure cipher suite

select
address,
version,
cipher_suite_name,
handshake_completed
from
net_tls_connection
where
address = 'steampipe.io:443'
and cipher_suite_name in ('TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256')
and handshake_completed;

Query examples

Control examples

.inspect net_tls_connection

Check server TLS connectivity to an address.

NameTypeDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
addresstextAddress to connect to, as specified in https://golang.org/pkg/net/#Dial.
alpn_supportedbooleanTrue if the ALPN is supported.
cipher_suite_idtextThe ID of the cipher suite.
cipher_suite_nametextThe cipher suite negotiated for the connection.
errortextError message if the connection failed.
fallback_scsv_supportedbooleanTrue if the TLS fallback SCSV is enabled to prevent protocol downgrade attacks.
handshake_completedbooleanTrue if the handshake was successful.
local_addresstextLocal address (ip:port) for the successful connection.
remote_addresstextRemote address (ip:port) for the successful connection.
server_nametextThe server name indication extension sent by the client.
versiontextThe TLS version used by the connection.