Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-net-insights
Overview
7Dashboards
54Benchmarks
26Queries
2Variables
GitHub

Dashboard: SSL/TLS Server Configuration Report

This report provides a brief overview of the configuration of any SSL/TLS web server.

This report answers the following questions:

  • What protocols and cipher suites does the server support?
  • Does the server support any insecure cipher suites, e.g., RC4, CBC?
  • Does the server support TLS fallback SCSV for preventing protocol downgrade attacks?
This dashboard contains 3 cards, 1 input and 2 tables.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-net-insights

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select SSL/TLS Server Configuration Report dashboard.

You could also snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe dashboard run net_insights.dashboard.ssl_configuration_report --share

Queries

This dashboard uses the the following queries:
with domain_list as (
  select $1 as domain, $1 || ':443' as address
),
cbc_cipher_count as (
  select
    address,
    count(address) as cipher_count
  from
    net_tls_connection
  where
    address in (select address from domain_list)
    and cipher_suite_name in ('TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256')
    and handshake_completed
  group by
    address
)
select
  'CBC Cipher Suites' as label,
  case
    when i.cipher_count is null then 0
    else i.cipher_count
  end as value,
  case
    when i.cipher_count is null then 'ok'
    when i.cipher_count < 1 then 'ok'
    else 'alert'
  end as type
from
  domain_list as d
  left join cbc_cipher_count as i on d.address = i.address


{
  "$1": "domain_input"
}

Tags

category = Networking
service = Net/SSL
type = Report