Skip to content

gcp-lb-ssl-weak-ciphers

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites

When configuring your load balancers, it is important to set them not to accept insecure TLS handshakes. TLS protocols earlier than 1.2 are considered insecure and shall be avoided. Furthermore, it is also recommended to prefer modern cipher suites that use exclusively Elliptic Curve Ephemeral Diffie Hellman key agreements. Finally, the use of SHA1 is not recommended and you should also prefer cipher suite which use SHA256 or another modern cryptographic hash function.

Examples

Insecure Example

resource "google_compute_ssl_policy" "lb-ssl-policy" {
  name            = "lb-ssl-policy"
  profile         = "CUSTOM"
  min_tls_version = "TLS_1_0"
  custom_features = ["TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"]
}

Secure Example

resource "google_compute_ssl_policy" "lb-ssl-policy" {
  name    = "lb-ssl-policy"
  profile = "MODERN"
  min_tls_version = "TLS_1_2"
}

More information