Daniel Lockard's Blog

Implementing Perfect Forward Secrecy on Amazon ELB

by on Feb.25, 2014, under Blog

Recently, Amazon upgraded their Elastic Load Balancer to support Sever Cipher Ordering and ECDHE Ciphers. These ciphers are what are recommended for implementing Forward Secrecy as recommended by Qualys in their Best Practices document.

The following configuration gives me an A on Qualys’s SSL Labs.

  1. Select Custom Security Policy
  2. SSL Protocols
    1. Select ‘Protcol-TLSv1′, ‘Protocol-TLSv1.1′ and ‘Protocol-TLSv1.2′
  3. SSL Options
    1. Select ‘Server Order Preferences’
  4. SSL Ciphers – Select the following list:
    1. ECDHE-RSA-AES128-GCM-SHA256
    2. ECDHE-RSA-AES128-SHA256
    3. ECDHE-RSA-AES128-SHA
    4. ECDHE-RSA-AES256-GCM-SHA384
    5. ECDHE-RSA-AES256-SHA384
    6. ECDHE-RSA-AES256-SHA
    7. DHE-RSA-AES128-SHA
    8. DES-CBC3-SHA
    9. DHE-RSA-AES256-SHA

As a side note:
This configuration disables IE6 from even viewing your site over SSL, as it does not support TLS1.0+. We also include DES-CBC3-SHA / TLS_RSA_WITH_3DES_EDE_CBC_SHA so that IE8 on Windows XP will work. If you don’t care about IE8/WINXP, then feel free to disable this cipher as well. RC4 was recommended to mitigate against the BEAST attack, but all major browsers have patched against BEAST so we don’t care about that as much any more.

To get an A+ on SSL Labs, have your web server add the following header for sites that are forcing SSL (nginx in this example):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

4 Comments :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...