Check for Insecure SSL Cipher Suites

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Check the Secure Socket Layer (SSL) policies associated with your HTTPS and SSL Proxy load balancers for any cipher suites that demonstrate vulnerabilities or have been considered insecure by recent exploits. Secure Sockets Layer (SSL) policies determine which Transport Layer Security (TLS) features clients are permitted to use when connecting to external Google Cloud load balancers. To prevent usage of insecure or deprecated TLS features, SSL policies should use one of the following configurations:

SSL policy configured with TLS 1.2 and the MODERN Google-managed profile.

SSL policy configured with the RESTRICTED managed profile. This configuration requires clients to use TLS 1.2 regardless of the chosen minimum TLS version.

SSL policy configured with the CUSTOM profile and none of the following cipher suites (as these ciphers are considered weak and insecure):

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Security

To comply with clients that are using outdated protocols, external load balancers can be configured to permit insecure cipher suites. This option can allow GCP users to configure their load balancers without even knowing that they are permitting deprecated cipher suites. Using outdated and insecure ciphers for the SSL policies associated with your HTTPS/SSL Proxy load balancers could make the SSL connection between clients and load balancers vulnerable to exploits.


Audit

To determine if your Google Cloud load balancer SSL policies use insecure ciphers, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 On the Load balancers panel, click inside the Filter by name or protocol box, select Protocol and HTTPS, OR, then Protocol and SSL to display only the HTTPS and the SSL Proxy load balancers available inside the project.

06 Choose the HTTPS/SSL Proxy load balancer that you want to examine, click on the 3-dot button to access the options menu, then select Edit.

07 On the Edit HTTP(S) load balancer page, select Frontend configuration tab, and click on the frontend configuration listed on the right panel.

08 On the frontend configuration panel, check the name of the SSL policy selected for the SSL policy dropdown list. If the name of the policy is GCP default, the selected HTTPS/SSL Proxy load balancer is configured to use the default SSL policy and this policy is using weak cipher suites. The default SSL policy is configured with a "COMPATIBLE" profile with a minimum TLS version of TLS 1.0. The "COMPATIBLE" profile allows the broadest set of clients, including clients that support only out-of-date SSL features.

09 Repeat steps no. 6 – 8 for each HTTPS/SSL Proxy load balancer available within the selected project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute target-https-proxies list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the names and the SSL policies configured for the target proxies defined for the HTTPS load balancers within the selected project:

gcloud compute target-https-proxies list
	--project cc-project5-stack-123123
	--format="table(name,sslPolicy)"

04 The command output should return the URL of each SSL policy associated with the HTTPS load balancer(s) available in the selected GCP project. If the SSL_POLICY value is missing from the compute target-https-proxies list command output, the associated load balancer is using the default SSL policy, which is considered deprecated and insecure. The default GCP SSL policy is configured with a "COMPATIBLE" profile with a minimum TLS version of TLS 1.0. The "COMPATIBLE" profile allows the broadest set of clients, including clients that support only out-of-date SSL features:

NAME                                    SSL_POLICY
cc-frontend-load-balancer-target-proxy  https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/sslPolicies/cc-frontend-ssl-policy
cc-web-prod-load-balancer-target-proxy  https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/sslPolicies/cc-restricted-policy

05 Run compute target-ssl-proxies list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the names and the SSL policies configured for the target proxies defined for the SSL Proxy load balancers within the selected project:

gcloud compute target-ssl-proxies list
	--project cc-project5-stack-123123
	--format="table(name,sslPolicy)"

06 The command output should return the URL of each SSL policy associated with the SSL Proxy load balancer(s) created within the selected GCP project. If the SSL_POLICY value is missing from the command output, the associated SSL Proxy load balancer is using the default SSL policy, which is considered deprecated and insecure:

NAME                                    SSL_POLICY
cc-project5-load-balancer-target-proxy  https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/sslPolicies/cc-global-ssl-policy

07 Run compute ssl-policies describe command (Windows/macOS/Linux) using the URL of the SSL policy that you want to examine as identifier parameter and custom filtering to describe the minimum TLS version and the cipher suites configured for the selected policy:

gcloud compute ssl-policies describe https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/sslPolicies/cc-frontend-ssl-policy
	--format="json(minTlsVersion,profile,enabledFeatures)"

08 The command output should return the requested configuration information:

{
  "enabledFeatures": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
    "TLS_RSA_WITH_AES_128_CBC_SHA",
    "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_AES_256_GCM_SHA384"
  ],
  "minTlsVersion": "TLS_1_0",
  "profile": "COMPATIBLE"
}

The conditions required to configure a secure and compliant SSL policy are listed below:
  1. "profile" set to "MODERN" and "minTlsVersion" set to "TLS_1_2";
  2. "profile" set to "RESTRICTED";
  3. "profile" set to "CUSTOM" and "enabledFeatures" array without the following ciphers:
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA

If the policy configuration returned by the compute ssl-policies describe command output does not satisfy one of the conditions listed above, the selected Secure Socket Layer (SSL) policy is using insecure and/or deprecated ciphers, therefore the SSL negotiation configuration for the HTTPS/SSL Proxy load balancers associated with the SSL policy is not compliant.

09 Repeat step no. 7 and 8 to check other SSL policies, associated with the HTTPS/SSL Proxy load balancers, for weak or insecure cipher suites.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud HTTPS/SSL Proxy load balancers are using secure and compliant Secure Socket Layer (SSL) policies, create new secure policies to replace the default ones and reconfigure the insecure policies that have weak or deprecated cipher suites.

Case A: To reconfigure your HTTPS/SSL Proxy load balancers in order to replace default (insecure) SSL policies with secure policies, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Choose the HTTPS/SSL Proxy load balancer that uses the default GCP SSL policy (see Audit section part I to identify the right resource), click on the 3-dot button to access the options menu, then select Edit.

06 On the Edit HTTP(S) load balancer page, select Frontend configuration tab, and click on the frontend configuration listed on the right panel.

07 On the frontend configuration panel, select Create policy from the SSL policy dropdown list to initiate the setup process.

08 On the Create new SSL policy panel, perform the following:

  1. In the Name box, provide a name for your new policy.
  2. Click Add a description to add a short description.
  3. Select TLS 1.2 from the Minimum TLS version dropdown list.
  4. SSL policy profiles are sets of features used in negotiating SSL with clients. Managed profiles (Modern and Restricted) are maintained to support new SSL capabilities. Custom profiles require manual updates. To meet security and compliance requirements choose one of the following profiles:
    • Select Modern to support a wide set of clients (allows most modern clients).
    • Select Restricted if you need to meet stricter compliance requirements.
    • Select Custom if you need a custom set of cipher suites. Select the ciphers that you want to use for your custom policy from the Features list. Do not include knowledge-base/components/the following cipher suites as these ciphers are considered weak and insecure:
      • TLS_RSA_WITH_AES_128_GCM_SHA256
      • TLS_RSA_WITH_AES_256_GCM_SHA384
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  5. Click Create to create the new, secure SSL policy.

09 On the Edit HTTP(S) load balancer page, click Update to associate the newly created SSL policy with the selected HTTPS/SSL Proxy load balancer.

10 Repeat steps no. 5 – 9 for each load balancer that uses default SSL policies, available in the selected project.

11 Repeat steps no. 2 – 10 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute ssl-policies create command (Windows/macOS/Linux) to create a new, secure Google Cloud SSL policy. The following compute ssl-policies create request example, creates a policy named "cc-modern-ssl-policy" that implements the "MODERN" managed profile and sets the minimum TLS version to TLS 1.2:

gcloud compute ssl-policies create cc-modern-ssl-policy
	--profile MODERN
	--min-tls-version 1.2

02 The command output should return the new GCP SSL policy metadata:

NAME                  PROFILE  MIN_TLS_VERSION
cc-modern-ssl-policy  MODERN   TLS_1_2

03 Run compute target-https-proxies update command (Windows/macOS/Linux) to apply the new SSL policy to the target proxy associated with your HTTPS load balancer (see Audit section part II to identify the right target) and replace the insecure policy:

gcloud compute target-https-proxies update cc-frontend-load-balancer-target-proxy
	--ssl-policy cc-modern-ssl-policy

04 The command output should return the URL of the reconfigured target:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetHttpsProxies/cc-frontend-load-balancer-target-proxy].

05 Run compute target-ssl-proxies update command (Windows/macOS/Linux) to apply the newly created SSL policy (i.e. cc-modern-ssl-policy) to the target proxy associated with your SSL Proxy load balancer (see Audit section part II to identify the right target) and replace the existing insecure policy:

gcloud compute target-ssl-proxies update cc-project5-load-balancer-target-proxy
	--ssl-policy cc-modern-ssl-policy

06 The command output should return the URL of the reconfigured target:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetSslProxies/cc-project5-load-balancer-target-proxy].

07 Repeat steps no. 1 – 6 for each GCP project deployed in your Google Cloud account.

Case B: To reconfigure any existing insecure Secure Socket Layer (SSL) policies, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Network Security dashboard at https://console.cloud.google.com/net-security.

04 In the navigation panel, select SSL policies to access the list of the Secure Socket Layer (SSL) policies created for the selected project.

05 On the SSL policies page, click on the name of the policy that you want to reconfigure (see Audit section part I to identify the right policy), then click on the Edit button from the dashboard top menu to enter the edit mode.

06 On the selected SSL policy configuration panel, perform the following:

  1. Select TLS 1.2 from the Minimum TLS version dropdown list.
  2. SSL policy profiles are sets of features used in negotiating SSL with clients. Managed profiles (Modern and Restricted) are maintained to support new SSL capabilities. Custom profiles require manual updates. To meet security and compliance requirements choose one of the following profiles:
    • Select Modern to support a wide set of clients (allows most modern clients).
    • Select Restricted if you need to meet stricter compliance requirements.
    • Select Custom if you need a custom set of cipher suites. Select the ciphers that you want to use for your custom policy from the Features list. Do not include knowledge-base/components/the following cipher suites as these ciphers are considered weak and insecure:
      • TLS_RSA_WITH_AES_128_GCM_SHA256
      • TLS_RSA_WITH_AES_256_GCM_SHA384
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  3. Click Save to apply the configuration changes.

07 Repeat step no. 5 and 6 for each insecure SSL policy that you want to reconfigure, created for the selected project.

08 Repeat steps no. 2 – 10 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute ssl-policies update command (Windows/macOS/Linux) to update the minimum TLS version and the cipher suite profile for the insecure SSL policy that you want to reconfigure (see Audit section part II to identify the right policy). The following compute ssl-policies update request example, updates an SSL policy named "cc-frontend-ssl-policy" that implements the "RESTRICTED" cipher suite profile and sets the minimum TLS version to TLS 1.2:

gcloud compute ssl-policies update cc-frontend-ssl-policy
	--profile RESTRICTED
	--min-tls-version 1.2

02 The command output should return the reconfigured GCP SSL policy metadata:

NAME                    PROFILE     MIN_TLS_VERSION
cc-frontend-ssl-policy  RESTRICTED  TLS_1_2

03 Repeat step no. 1 and 2 for each insecure SSL policy that you want to reconfigure, available within the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 12, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Insecure SSL Cipher Suites

Risk level: Medium