Benchmark: SSL/TLS Server Configuration Best Practices
Overview
SSL is the backbone of a secure internet, and it protects sensitive information by establishing authenticated and encrypted links between networked computers. So it is necessary to provide extra effort to configure your SSL server to provide necessary security against complex SSL-related attacks.
This benchmark performs various standard checks on your server configuration, for example:
- Do my certificates have a complete chain of trusted certificates?
- Are my servers using insecure cipher suites or protocols?
- Are perfect forward secrecy and TLS fallback SCSV enabled on my servers?
- Do my certificates use RSA keys or ECDSA keys that are too large?
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-net-insights
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select SSL/TLS Server Configuration Best Practices.
Run this benchmark in your terminal:
powerpipe benchmark run net_insights.benchmark.ssl_configuration_best_practices
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run net_insights.benchmark.ssl_configuration_best_practices --share
Controls
- Certificates should have a complete chain of trusted certificates
- SSL/TLS servers should avoid using insecure protocols
- SSL/TLS servers should use secure cipher suites
- Ensure SSL/TLS servers uses perfect forward secrecy (PFS)
- SSL/TLS servers should use strong key exchange mechanism (e.g., ECDHE)
- SSL/TLS servers should support TLS fallback SCSV for preventing protocol downgrade attacks
- SSL/TLS servers should avoid using RC4 cipher suites
- SSL/TLS servers should avoid using CBC cipher suites
- Avoid implementing too much security for certificates