| Insecure SSL/TLS Protocol |
| Using insecure and deprecated protocols can make connections vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol, and POODLE (Padding Oracle On Downgraded Legacy Encryption). This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a person-in-the-middle or an eavesdropping attack. |
| If you use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council requires TLS1.0 to be disabled soon), we highly recommend updating these protocols. Note: The ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1, which is considered insecure. |
| Rule ID: NS-SSL-001 Risk level: High (not acceptable risk) |
| Protect against Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1.0 insecure / deprecated SSL protocols. |
| This can help you with the following compliance standards: |
| This rule can help you form your AWS Well-Architected Framework for seamless integration of AWS, Network Security, and Trend Micro Cloud One - Conformity. |
Audit SSL/TLS protocol connection
To determine if you are blocking outdated SSL/TLS protocol connections, perform the following actions:
- From the Network Security management interface, click the Policy icon
in the navigation panel. - Select Intrusion Prevention Filtering.
- Search for the following filters to ensure they are enabled. If any are not enabled, then follow steps in the steps to below to enable SSL/TLS protection.
- SSLv2 = filter 3892
- SSLv3 = filter 13895
- TLS 1.0 = filter 13896
- TLS 1.1 = filter 13897
- TLS 1.2 or 1.3 = filter 13898
- TLS 1.3 = filter 13899
in the navigation panel.Enable SSL/TLS protocol connection protection
To block outdated SSL/TLS protocol connections, perform the following actions:
See Also
Add permanent SSL certificate exception in ChromeHow to Enable HTTPS-Only Mode in Chrome, Firefox, Edge, and Safari- From the Network Security management interface, click the Policy icon in the navigation panel.
- Select Intrusion Prevention Filtering.
- Search for the following filters, and enable each of them.
- SSLv2 = filter 3892
- SSLv3 = filter 13895
- TLS 1.0 = filter 13896
- TLS 1.1 = filter 13897
- TLS 1.2 or 1.3 = filter 13898
- TLS 1.3 = filter 13899
