turbot/steampipe-mod-net-insights

Control: SSL/TLS servers should use strong key exchange mechanism (e.g., ECDHE)

Description

It is recommended to use strong key exchange mechanism to keep data being transferred across the network more secure. Both parties agree on a single cipher suite and generate the session keys (symmetric keys) to encrypt and decrypt the information during an SSL session.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_use_strong_key_exchange

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_use_strong_key_exchange --share

Steampipe Tables

SQL

with domain_list as (
select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain
),
all_ecdhe_ciphers as (
select
address,
version,
cipher_suite_name
from
net_tls_connection
where
address in (select address from domain_list)
and version in ('TLS v1.3', 'TLS v1.2')
and cipher_suite_name in ('TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256')
and handshake_completed
)
select
d.domain as resource,
case
when (select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.3') > 0 then 'ok'
when (select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.2') > 0 then 'ok'
else 'alarm'
end as status,
case
when
(select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.3') > 0
or (select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.2' and split_part(cipher_suite_name, '_', 2) = 'ECDHE') > 0
then d.domain || ' uses strong key exchange mechanism.'
else d.domain || ' does not use strong key exchange mechanism.'
end as reason
from
domain_list as d;

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.