From 75e5de9c374ad32ff33452f5f161134155917d0e Mon Sep 17 00:00:00 2001 From: Barrie Bremner Date: Thu, 24 Dec 2020 16:52:01 +0000 Subject: [PATCH] Accept current most restrictive TLSv1.2-only ALB security policy as secure The `ELBSecurityPolicy-FS-1-2-Res-2020-10` policy is the most restrictive TLS v1.2 only SSL/TLS security policy available, and is a subset of the already accepted `ELBSecurityPolicy-FS-1-2-Res-2019-08` policy - this commit adds `ELBSecurityPolicy-FS-1-2-Res-2020-10` to the list of acceptable "secure" security policies. `ELBSecurityPolicy-FS-1-2-Res-2020-10` has a very limited set of ciphers, is TLS v1.2 only and supports Forward Secrecy. Current SSL Labs tests gives it an "A" rating for another source of confirmation. --- checks/check_extra792 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/checks/check_extra792 b/checks/check_extra792 index f9f67dcc..b6497042 100644 --- a/checks/check_extra792 +++ b/checks/check_extra792 @@ -73,7 +73,8 @@ extra792(){ if [[ $LIST_OF_ELBSV2 ]]; then # NOTE - ALBs do NOT support custom security policies # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html - ELBV2SECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-1-2017-01" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-2018-06" "ELBSecurityPolicy-FS-1-1-2019-08" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-2015-05") + ELBV2SECUREPOLICIES=("ELBSecurityPolicy-2016-08" "ELBSecurityPolicy-TLS-1-1-2017-01" "ELBSecurityPolicy-TLS-1-2-2017-01" "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "ELBSecurityPolicy-FS-2018-06" "ELBSecurityPolicy-FS-1-1-2019-08" "ELBSecurityPolicy-FS-1-2-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2019-08" "ELBSecurityPolicy-FS-1-2-Res-2020-10" "ELBSecurityPolicy-2015-05") + for elbarn in $LIST_OF_ELBSV2; do passed=true if [[ $(echo $elbarn | grep "loadbalancer/app/") ]]; then