VPC Endpoint using TLS 1.0 and 1.1 ?

Question

Hi,

using nmap I can detect the private IPs of the VPC Endpoint are using old TLS versions. Is it correct?

nmap command: nmap -sV -p 443 -Pn --script ssl-enum-ciphers 10.xx.x.xx

result: Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-15 17:14 Romance Standard Time Nmap scan report for ip-10-35-1-137.eu-west-1.compute.internal (10.xx.x.xx) Host is up (0.053s latency).

PORT STATE SERVICE VERSION 443/tcp open ssl/https AmazonEC2 |http-server-header: AmazonEC2 | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 401 Unauthorized | x-amzn-RequestId: 35504e7d-958a-43f4-8287-94cac4c7c749 | Cache-Control: no-cache, no-store | Strict-Transport-Security: max-age=31536000; includeSubDomains | vary: accept-encoding | Content-Type: text/xml;charset=UTF-8 | Date: Wed, 15 Nov 2023 16:15:12 GMT | Connection: close | Server: AmazonEC2 | <?xml version="1.0" encoding="UTF-8"?> | <Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>35504e7d-958a-43f4-8287-94cac4c7c749</RequestID></Response> | GenericLines: | HTTP/1.1 400 Bad Request | Date: Wed, 15 Nov 23 16:15:19 GMT | Connection: close | x-amz-request-id: 17197B4A773A83C6 | Content-Length: 0 | GetRequest: | HTTP/1.1 301 Moved Permanently | Location: https://aws.amazon.com/ec2 | x-amzn-RequestId: 3c69962d-d92d-44d7-8a25-499cfaa10799 | Cache-Control: no-cache, no-store | Strict-Transport-Security: max-age=31536000; includeSubDomains | Content-Type: text/xml;charset=UTF-8 | Content-Length: 0 | Date: Wed, 15 Nov 2023 16:15:07 GMT | Keep-Alive: timeout=20 | Server: AmazonEC2 | Connection: close | HTTPOptions: | HTTP/1.1 400 Bad Request | x-amzn-RequestId: a95399a3-1a45-4d40-8c6d-8b3de52e92bd | Cache-Control: no-cache, no-store | Strict-Transport-Security: max-age=31536000; includeSubDomains | vary: accept-encoding | Content-Type: text/xml;charset=UTF-8 | Date: Wed, 15 Nov 2023 16:15:09 GMT | Connection: close | Server: AmazonEC2 | <?xml version="1.0" encoding="UTF-8"?> | <Response><Errors><Error><Code>UnsupportedHttpVerb</Code><Message>The requested HTTP verb is not supported: OPTIONS</Message></Error></Errors><RequestID>a95399a3-1a45-4d40-8c6d-8b3de52e92bd</RequestID></Response> | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Key exchange (dh 1024) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Key exchange (dh 1024) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Key exchange (dh 1024) of lower strength than certificate key |_ least strength: C 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port443-TCP:V=7.94%T=SSL%I=7%D=11/15%Time=6554EE8D%P=i686-pc-windows-wi SF:ndows%r(GetRequest,17F,"HTTP/1.1\x20301\x20Moved\x20Permanently\r\nLoc SF:ation:\x20https://aws.amazon.com/ec2\r\nx-amzn-RequestId:\x203c69962d SF:-d92d-44d7-8a25-499cfaa10799\r\nCache-Control:\x20no-cache,\x20no-store SF:\r\nStrict-Transport-Security:\x20max-age=31536000;\x20includeSubDomain SF:s\r\nContent-Type:\x20text/xml;charset=UTF-8\r\nContent-Length:\x200\r
SF:nDate:\x20Wed,\x2015\x20Nov\x202023\x2016:15:07\x20GMT\r\nKeep-Alive:\x SF:20timeout=20\r\nServer:\x20AmazonEC2\r\nConnection:\x20close\r\n\r\n")% SF:r(HTTPOptions,23A,"HTTP/1.1\x20400\x20Bad\x20Request\r\nx-amzn-Request SF:Id:\x20a95399a3-1a45-4d40-8c6d-8b3de52e92bd\r\nCache-Control:\x20no-cac SF:he,\x20no-store\r\nStrict-Transport-Security:\x20max-age=31536000;\x20i SF:ncludeSubDomains\r\nvary:\x20accept-encoding\r\nContent-Type:\x20text/x SF:ml;charset=UTF-8\r\nDate:\x20Wed,\x2015\x20Nov\x202023\x2016:15:09\x20G SF:MT\r\nConnection:\x20close\r\nServer:\x20AmazonEC2\r\n\r\n<?xml\x20ver SF:sion="1.0"\x20encoding="UTF-8"?>\n<Response><Errors><Error><Code> SF:UnsupportedHttpVerb</Code><Message>The\x20requested\x20HTTP\x20verb\x20 SF:is\x20not\x20supported:\x20OPTIONS</Message></Error></Errors><RequestID SF:>a95399a3-1a45-4d40-8c6d-8b3de52e92bd</RequestID></Response>")%r(FourOh SF:FourRequest,23E,"HTTP/1.1\x20401\x20Unauthorized\r\nx-amzn-RequestId:
SF:x2035504e7d-958a-43f4-8287-94cac4c7c749\r\nCache-Control:\x20no-cache,
SF:x20no-store\r\nStrict-Transport-Security:\x20max-age=31536000;\x20inclu SF:deSubDomains\r\nvary:\x20accept-encoding\r\nContent-Type:\x20text/xml;c SF:harset=UTF-8\r\nDate:\x20Wed,\x2015\x20Nov\x202023\x2016:15:12\x20GMT\r SF:\nConnection:\x20close\r\nServer:\x20AmazonEC2\r\n\r\n<?xml\x20version SF:="1.0"\x20encoding="UTF-8"?>\n<Response><Errors><Error><Code>Auth SF:Failure</Code><Message>AWS\x20was\x20not\x20able\x20to\x20validate\x20t SF:he\x20provided\x20access\x20credentials</Message></Error></Errors><Requ SF:estID>35504e7d-958a-43f4-8287-94cac4c7c749</RequestID></Response>")%r(G SF:enericLines,89,"HTTP/1.1\x20400\x20Bad\x20Request\r\nDate:\x20Wed,\x20 SF:15\x20Nov\x2023\x2016:15:19\x20GMT\r\nConnection:\x20close\r\nx-amz-req SF:uest-id:\x2017197B4A773A83C6\r\nContent-Length:\x200\r\n\r\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.80 seconds


SF:UnsupportedHttpVerb

The\x20requested\x20HTTP\x20verb\x20 SF:is\x20not\x20supported:\x20OPTIONSa95399a3-1a45-4d40-8c6d-8b3de52e92bd")%r(FourOh SF:FourRequest,23E,"HTTP/1\.1\x20401\x20Unauthorized x-amzn-RequestId:\ SF:x2035504e7d-958a-43f4-8287-94cac4c7c749 Cache-Control:\x20no-cache,\ SF:x20no-store Strict-Transport-Security:\x20max-age=31536000;\x20inclu SF:deSubDomains vary:\x20accept-encoding Content-Type:\x20text/xml;c SF:harset=UTF-8 Date:\x20Wed,\x2015\x20Nov\x202023\x2016:15:12\x20GMT SF: Connection:\x20close Server:\x20AmazonEC2 <\?xml\x20version SF:="1\.0"\x20encoding="UTF-8"\?>

Auth
SF:Failure

AWS\x20was\x20not\x20able\x20to\x20validate\x20t SF:he\x20provided\x20access\x20credentials35504e7d-958a-43f4-8287-94cac4c7c749")%r(G SF:enericLines,89,"HTTP/1\.1\x20400\x20Bad\x20Request Date:\x20Wed,\x20 SF:15\x20Nov\x2023\x2016:15:19\x20GMT Connection:\x20close x-amz-req SF:uest-id:\x2017197B4A773A83C6 Content-Length:\x200 "); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.80 seconds

Accepted Answer

I do not work for AWS but this is a quote from one of their articles. It seems it’s still being phased out with a view of making 1.2 minimum at the end of the year.

https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

> At Amazon Web Services (AWS), we continuously innovate to deliver you a cloud computing environment that works to help meet the requirements of the most security-sensitive organizations. To respond to evolving technology and regulatory standards for Transport Layer Security (TLS), we will be updating the TLS configuration for all AWS service API endpoints to a minimum of version TLS 1.2. This update means you will need to use of TLS versions 1.2 or higher for your connections, with a continued gradual rollout that will complete by December 31, 2023. In this post, we will tell you how to check your TLS version, and what to do to prepare.

> We have continued AWS support for TLS versions 1.0 and 1.1 to maintain backward compatibility for customers that have older or difficult to update clients, such as embedded devices. Furthermore, we have active mitigations in place that help protect your data for the issues identified in these older versions. Now is the right time to retire TLS 1.0 and 1.1, because increasing numbers of customers have requested this change to help simplify part of their regulatory compliance, and there are fewer and fewer customers using these older versions.

VPC Endpoint using TLS 1.0 and 1.1 ?

Relevant content