Top
Books by 9apps
  • Programming Amazon EC2
    Programming Amazon EC2
    by Jurg van Vliet, Flavia Paganelli
  • Elastic Beanstalk
    Elastic Beanstalk
    by Jurg van Vliet, Flavia Paganelli, Steven van Wel, Dara Dowd
Decaf for iPhone

Decaf for Android

EC2 on iPhone/Android?
Decaf EC2 Client!

Follow truthtrap on Twitter

Tools
Services
Customers
ADC2 Finalist

Main | Tomcat (JVM) in CloudWatch »
Thursday
Sep222011

SSL Ciphers on ELB

DateThursday, September 22, 2011 at 9:25AM

For some of the apps 'in our portfolio' we run PCI compliance scans. I won't name names, but we use McAfee for this particular one. These scans are great, but they have uncanny ability to always find something.

This time they did find something we are not particularly happy with. The problem they reported was that we had weak SSL ciphers enabled on our ELBs.

Of we course we are not alone with this problem, and AWS recently added support for this particular problem. They were happy to announce the support of SSL ciphers a few weeks ago.

But, as is often the case with AWS, how to actually make this work is somewhere inbetween Developer Guid, API Specification, Jeff's wise words and people like us struggling and helping each other on the forum.

We are currently not in production yet, but we are testing if this is the way to go. If you have some sort of shell with the cmdline tools set up, you can follow along with this on your own ELBs.

Be default we all of the following enabled

name=Protocol-SSLv2,value=false
name=Protocol-TLSv1,value=true
name=Protocol-SSLv3,value=true
name=DHE-RSA-AES256-SHA,value=true
name=DHE-DSS-AES256-SHA,value=true
name=DHE-RSA-CAMELLIA256-SHA,value=true
name=DHE-DSS-CAMELLIA256-SHA,value=true
name=ADH-AES256-SHA,value=false
name=ADH-CAMELLIA256-SHA,value=false
name=AES256-SHA,value=true
name=CAMELLIA256-SHA,value=true
name=PSK-AES256-CBC-SHA,value=true
name=EDH-RSA-DES-CBC3-SHA,value=true
name=EDH-DSS-DES-CBC3-SHA,value=true
name=ADH-DES-CBC3-SHA,value=false
name=DES-CBC3-SHA,value=true
name=DES-CBC3-MD5,value=false
name=PSK-3DES-EDE-CBC-SHA,value=true
name=KRB5-DES-CBC3-SHA,value=true
name=KRB5-DES-CBC3-MD5,value=true
name=DHE-RSA-AES128-SHA,value=true
name=DHE-DSS-AES128-SHA,value=true
name=DHE-RSA-SEED-SHA,value=true
name=DHE-DSS-SEED-SHA,value=true
name=DHE-RSA-CAMELLIA128-SHA,value=true
name=DHE-DSS-CAMELLIA128-SHA,value=true
name=ADH-AES128-SHA,value=false
name=ADH-SEED-SHA,value=false
name=ADH-CAMELLIA128-SHA,value=false
name=AES128-SHA,value=true
name=SEED-SHA,value=true
name=CAMELLIA128-SHA,value=true
name=RC2-CBC-MD5,value=false
name=PSK-AES128-CBC-SHA,value=true
name=ADH-RC4-MD5,value=false
name=IDEA-CBC-SHA,value=true
name=RC4-SHA,value=true
name=RC4-MD5,value=true
name=PSK-RC4-SHA,value=true
name=KRB5-RC4-SHA,value=true
name=KRB5-RC4-MD5,value=true
name=EDH-RSA-DES-CBC-SHA,value=true
name=EDH-DSS-DES-CBC-SHA,value=true
name=ADH-DES-CBC-SHA,value=false
name=DES-CBC-SHA,value=true
name=DES-CBC-MD5,value=false
name=KRB5-DES-CBC-SHA,value=true
name=KRB5-DES-CBC-MD5,value=true
name=EXP-EDH-RSA-DES-CBC-SHA,value=true
name=EXP-EDH-DSS-DES-CBC-SHA,value=true
name=EXP-ADH-DES-CBC-SHA,value=false
name=EXP-DES-CBC-SHA,value=true
name=EXP-RC2-CBC-MD5,value=true
name=EXP-KRB5-RC2-CBC-SHA,value=true
name=EXP-KRB5-DES-CBC-SHA,value=true
name=EXP-KRB5-RC2-CBC-MD5,value=true
name=EXP-KRB5-DES-CBC-MD5,value=true
name=EXP-ADH-RC4-MD5,value=false
name=EXP-RC4-MD5,value=true
name=EXP-KRB5-RC4-SHA,value=true
name=EXP-KRB5-RC4-MD5,value=true

 

We don't want that, we want to be more restrictive lik ELBSample-ELBDefaultNegotiationPolicy, one of the defaults AWS offers when creating an ELB. The totally shitty thing is that these policies are ELB specific, and not account wide.

name=Protocol-SSLv2,value=false
name=EDH-DSS-DES-CBC3-SHA,value=false
name=DHE-RSA-CAMELLIA128-SHA,value=false
name=DES-CBC-MD5,value=false
name=KRB5-RC4-SHA,value=false
name=ADH-CAMELLIA128-SHA,value=false
name=EXP-KRB5-RC4-MD5,value=false
name=ADH-RC4-MD5,value=false
name=PSK-RC4-SHA,value=false
name=PSK-AES128-CBC-SHA,value=false
name=EXP-EDH-RSA-DES-CBC-SHA,value=false
name=CAMELLIA128-SHA,value=false
name=DHE-DSS-AES128-SHA,value=false
name=EDH-RSA-DES-CBC-SHA,value=false
name=DHE-RSA-SEED-SHA,value=false
name=KRB5-DES-CBC-MD5,value=false
name=DHE-RSA-CAMELLIA256-SHA,value=false
name=ADH-DES-CBC3-SHA,value=false
name=DES-CBC3-MD5,value=false
name=EXP-KRB5-RC2-CBC-MD5,value=false
name=EDH-DSS-DES-CBC-SHA,value=false
name=KRB5-DES-CBC-SHA,value=false
name=PSK-AES256-CBC-SHA,value=false
name=ADH-AES256-SHA,value=false
name=KRB5-DES-CBC3-SHA,value=false
name=AES128-SHA,value=true
name=DHE-DSS-SEED-SHA,value=false
name=ADH-CAMELLIA256-SHA,value=false
name=EXP-KRB5-RC4-SHA,value=false
name=EDH-RSA-DES-CBC3-SHA,value=false
name=EXP-KRB5-DES-CBC-MD5,value=false
name=Protocol-TLSv1,value=true
name=PSK-3DES-EDE-CBC-SHA,value=false
name=SEED-SHA,value=false
name=DHE-DSS-CAMELLIA256-SHA,value=false
name=IDEA-CBC-SHA,value=false
name=RC2-CBC-MD5,value=false
name=KRB5-RC4-MD5,value=false
name=ADH-AES128-SHA,value=false
name=RC4-SHA,value=true
name=AES256-SHA,value=true
name=Protocol-SSLv3,value=true
name=EXP-DES-CBC-SHA,value=false
name=DES-CBC3-SHA,value=true
name=DHE-RSA-AES128-SHA,value=false
name=EXP-EDH-DSS-DES-CBC-SHA,value=false
name=EXP-KRB5-RC2-CBC-SHA,value=false
name=DHE-RSA-AES256-SHA,value=false
name=KRB5-DES-CBC3-MD5,value=false
name=RC4-MD5,value=true
name=EXP-RC2-CBC-MD5,value=false
name=DES-CBC-SHA,value=false
name=EXP-ADH-RC4-MD5,value=false
name=EXP-RC4-MD5,value=false
name=ADH-DES-CBC-SHA,value=false
name=CAMELLIA256-SHA,value=false
name=DHE-DSS-CAMELLIA128-SHA,value=false
name=EXP-KRB5-DES-CBC-SHA,value=false
name=EXP-ADH-DES-CBC-SHA,value=false
name=DHE-DSS-AES256-SHA,value=false
name=ADH-SEED-SHA,value=false

 

We saved this file in strict-ciphers.txt and to create our policy for the specific ELB

$ awk 'BEGIN{
        cmd = "elb-create-lb-policy staging-9apps-net --policy-name Strict-ELBNegotiationPolicy --policy-type SSLNegotiationPolicyType"
    }{
        cmd = cmd " --attribute \x22"$1"\x22"
    }END{system( cmd)}' strict-ciphers.txt
$ awk 'BEGIN{
        cmd = "elb-create-lb-policy staging-9apps-org --policy-name Strict-ELBNegotiationPolicy --policy-type SSLNegotiationPolicyType"
    }{
        cmd = cmd " --attribute \x22"$1"\x22"
    }END{system( cmd)}' strict-ciphers.txt

 

Enabling it for the staging-9apps-net and staging-9apps-org ELBs

$ elb-set-lb-policies-of-listener staging-9apps-net \
    --lb-port 443 \
    --policy-names Strict-ELBNegotiationPolicy
$ elb-set-lb-policies-of-listener staging-9apps-org \
    --lb-port 443 \
    --policy-names Strict-ELBNegotiationPolicy

 

We hope this helps everyone along a bit, with getting the ciphers they want.

AuthorJurg van Vliet | Comment2 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (2)

Hi, can you post what the resultant set of Ciphers that are left set to true are? Thanks.

October 14, 2011 | Unregistered CommenterChris

name=AES128-SHA,value=true
name=Protocol-TLSv1,value=true
name=RC4-SHA,value=true
name=AES256-SHA,value=true
name=Protocol-SSLv3,value=true
name=DES-CBC3-SHA,value=true
name=RC4-MD5,value=true

October 18, 2011 | Registered CommenterJurg van Vliet

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.