Check your Elastic Load Balancers Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1 insecure / deprecated SSL protocols
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated protocols for your ELB Predefined Security Policy or Custom Security Policy could make the connection between the client and the load balancer vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol and POODLE (Padding Oracle On Downgraded Legacy Encryption).
This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a man-in-the-middle attack. If your existent ELB SSL negotiation configuration use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council require TLS1.0 to be turned off soon), we highly recommend updating it using the information provided in this guide (see Remediation/Resolution section).
Note: ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1 which is considered insecure.
To determine if your ELB Predefined Security Policy use insecure protocols, perform the following:
To remove any insecure protocol definitions from your ELB SSL negotiation settings, you need to perform the following: