Why is this an issue?
TLS configuration of Google Cloud load balancers is defined through SSL policies. There are three managed profiles to choose from:
COMPATIBLE (default), MODERN and RESTRICTED:
- The
RESTRICTED profile relies only on secure cipher suites and should be used by applications that require to comply with the
highest security standards.
- The
MODERN profile includes additional cipher suites that present security weaknesses like using the SHA1 algorithm
for signing.
- The
COMPATIBLE profile offers the most common cipher suites and thus broader compatibility. Some of these use SHA1 or
3DES algorithms which are considered weak. Also, this profile includes cipher suites that rely on obsolete key-exchange mechanisms that
don’t provide forward secrecy[https://en.wikipedia.org/wiki/Forward_secrecy] as a
feature.
Noncompliant code example
resource "google_compute_ssl_policy" "example" {
name = "example"
min_tls_version = "TLS_1_2"
profile = "COMPATIBLE" # Noncompliant
}
Compliant solution
resource "google_compute_ssl_policy" "example" {
name = "example"
min_tls_version = "TLS_1_2"
profile = "RESTRICTED"
}
Resources
