Table of contents
Topics on this page
Insecure SSL/TLS Protocol
Using insecure and deprecated protocols can make connections vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol, and POODLE (Padding Oracle On Downgraded Legacy Encryption). This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a person-in-the-middle or an eavesdropping attack.
If you use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council requires TLS1.0 to be disabled soon), we highly recommend updating these protocols.
Note: The ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1, which is considered insecure.
Rule ID: NS-SSL-001
Risk level: High (not acceptable risk)
Protect against Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1.0 insecure / deprecated SSL protocols.
This can help you with the following compliance standards:
This rule can help you form your AWS Well-Architected Framework for seamless integration of AWS, Network Security, and Cloud One - Conformity.

Audit SSL/TLS protocol connection

To determine if you are blocking outdated SSL/TLS protocol connections, perform the following actions:

  1. From the Network Security management interface, click the Policy icon in the navigation panel.
  2. Select Intrusion Prevention Filtering.
  3. Search for the following filters to ensure they are enabled. If any are not enabled, then follow steps in the steps to below to enable SSL/TLS protection.
    • SSLv2 = filter 3892
    • SSLv3 = filter 13895
    • TLS 1.0 = filter 13896
    • TLS 1.1 = filter 13897
    • TLS 1.2 or 1.3 = filter 13898
    • TLS 1.3 = filter 13899

Enable SSL/TLS protocol connection protection

To block outdated SSL/TLS protocol connections, perform the following actions:

  1. From the Network Security management interface, click the Policy icon in the navigation panel.
  2. Select Intrusion Prevention Filtering.
  3. Search for the following filters, and enable each of them.
    • SSLv2 = filter 3892
    • SSLv3 = filter 13895
    • TLS 1.0 = filter 13896
    • TLS 1.1 = filter 13897
    • TLS 1.2 or 1.3 = filter 13898
    • TLS 1.3 = filter 13899