Control: Ensure SSL/TLS servers uses perfect forward secrecy (PFS)
Description
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.ssl_use_perfect_forward_secrecySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.ssl_use_perfect_forward_secrecy --shareSteampipe Tables
SQL
with domain_list as ( select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain),check_pfs_cipher as ( select address, count(*) from net_tls_connection where address in (select address from domain_list) and cipher_suite_name in ('TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256') and handshake_completed group by address)select d.domain as resource, case when i.address is not null and i.count > 1 then 'ok' else 'alarm' end as status, case when i.address is not null and i.count > 1 then d.domain || ' cipher suites provide forward secrecy.' else d.domain || ' cipher suites do not provide forward secrecy.' end as reasonfrom domain_list as d left join check_pfs_cipher as i on d.address = i.address;
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | domain_names | | DNS domain names. |