Control: SSL/TLS servers should support TLS fallback SCSV for preventing protocol downgrade attacks

powerpipe control run net_insights.control.ssl_use_tls_fallback_scsv

powerpipe login
powerpipe control run net_insights.control.ssl_use_tls_fallback_scsv --share

with domain_list as (
  select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain
),
tls_connections as (
  select
    address,
    version,
    fallback_scsv_supported
  from
    net_tls_connection
  where
    address in (select address from domain_list)
    and handshake_completed
),
tls_connection_version_count as (
  select
    address,
    version,
    count(*)
  from
    tls_connections
  group by address, version
)
select
  d.domain as resource,
  case
    when (select count(*) from tls_connection_version_count where address = d.address) < 2 then 'info'
    when (select count(*) from tls_connections where address = d.address and fallback_scsv_supported) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (select count(*) from tls_connection_version_count where address = d.address) < 2 then d.domain || ' requires support for at least 2 protocols.'
    when (select count(*) from tls_connections where address = d.address and fallback_scsv_supported) > 0 then d.domain || ' supports TLS fallback SCSV.'
    else d.domain || ' doesn''t support TLS fallback SCSV.'
  end as reason
from
  domain_list as d;