Check the Secure Socket Layer (SSL) policies associated with your HTTPS and SSL Proxy load balancers for any cipher suites that demonstrate vulnerabilities or have been considered insecure by recent exploits. Secure Sockets Layer (SSL) policies determine which Transport Layer Security (TLS) features clients are permitted to use when connecting to external Google Cloud load balancers. To prevent usage of insecure or deprecated TLS features, SSL policies should use one of the following configurations:
SSL policy configured with TLS 1.2 and the MODERN Google-managed profile.
SSL policy configured with the RESTRICTED managed profile. This configuration requires clients to use TLS 1.2 regardless of the chosen minimum TLS version.
SSL policy configured with a minimum of TLS 1.2 with a CUSTOM profile containing none of the following cipher suites (as these ciphers are considered weak and insecure):
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
To comply with clients that are using outdated protocols, external load balancers can be configured to permit insecure cipher suites. This option can allow GCP users to configure their load balancers without even knowing that they are permitting deprecated cipher suites. Using outdated and insecure ciphers for the SSL policies associated with your HTTPS/SSL Proxy load balancers could make the SSL connection between clients and load balancers vulnerable to exploits.
Audit
To determine if your Google Cloud load balancer SSL policies use insecure ciphers, perform the following actions:
Remediation / Resolution
To ensure that your Google Cloud HTTPS/SSL Proxy load balancers are using secure and compliant Secure Socket Layer (SSL) policies, create new secure policies to replace the default ones and reconfigure the insecure policies that have weak or deprecated cipher suites.
Case A: To reconfigure your HTTPS/SSL Proxy load balancers in order to replace default (insecure) SSL policies with secure policies, perform the following actions:
Case B: To reconfigure any existing insecure Secure Socket Layer (SSL) policies, perform the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Cloud Load Balancing
- Setting up a multi-region, content-based external HTTPS load balancer
- Setting up SSL Proxy Load Balancing
- Using SSL Policies
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute target-https-proxies list
- gcloud compute target-ssl-proxies list
- gcloud compute ssl-policies describe
- gcloud compute ssl-policies create
- gcloud compute target-https-proxies update
- gcloud compute target-ssl-proxies update
- gcloud compute ssl-policies update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Insecure SSL Cipher Suites
Risk Level: Medium