Why is this an issue?
TLS configuration of Google Cloud load balancers is defined through SSL policies. There are three managed profiles to choose from:
COMPATIBLE
(default), MODERN
and RESTRICTED
:
- The
RESTRICTED
profile relies only on secure cipher suites and should be used by applications that require to comply with the
highest security standards.
- The
MODERN
profile includes additional cipher suites that present security weaknesses like using the SHA1
algorithm
for signing.
- The
COMPATIBLE
profile offers the most common cipher suites and thus broader compatibility. Some of these use SHA1
or
3DES
algorithms which are considered weak. Also, this profile includes cipher suites that rely on obsolete key-exchange mechanisms that
don’t provide forward secrecy[https://en.wikipedia.org/wiki/Forward_secrecy] as a
feature.
Noncompliant code example
resource "google_compute_ssl_policy" "example" {
name = "example"
min_tls_version = "TLS_1_2"
profile = "COMPATIBLE" # Noncompliant
}
Compliant solution
resource "google_compute_ssl_policy" "example" {
name = "example"
min_tls_version = "TLS_1_2"
profile = "RESTRICTED"
}
Resources