Terraform

Terraform

Made by DeepSource

An outdated SSL policy is in use by a load balancer TF-AWS010

Security
Critical

It is not recommended to use outdated/insecure TLS versions for encryption.

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option. Using outdated security policies pose a security risk to your infrastructure, and hence must be updated regularly.

Refer to https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html for the latest predefined set of SSL security policies. This issue is currently raised for TLS <= v1.2. Upgrading it to v1.2+ is recommended.

Examples

Bad practice

resource "aws_alb_listener" "my-resource" {
    ssl_policy = "ELBSecurityPolicy-TLS-1-1-2017-01"
    protocol = "HTTPS"
}

Recommended

resource "aws_alb_listener" "my-resource" {
    ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
    protocol = "HTTPS"
}

References