Daniel Lockard's Blog

Implementing Perfect Forward Secrecy on Amazon ELB

by on Feb.25, 2014, under Blog

Recently, Amazon upgraded their Elastic Load Balancer to support Sever Cipher Ordering and ECDHE Ciphers. These ciphers are what are recommended for implementing Forward Secrecy as recommended by Qualys in their Best Practices document.

The following configuration gives me an A on Qualys’s SSL Labs.

  1. Select Custom Security Policy
  2. SSL Protocols
    1. Select ‘Protcol-TLSv1′, ‘Protocol-TLSv1.1′ and ‘Protocol-TLSv1.2′
  3. SSL Options
    1. Select ‘Server Order Preferences’
  4. SSL Ciphers – Select the following list:
    1. ECDHE-RSA-AES128-GCM-SHA256
    2. ECDHE-RSA-AES128-SHA256
    3. ECDHE-RSA-AES128-SHA
    4. ECDHE-RSA-AES256-GCM-SHA384
    5. ECDHE-RSA-AES256-SHA384
    6. ECDHE-RSA-AES256-SHA
    7. DHE-RSA-AES128-SHA
    8. DES-CBC3-SHA
    9. DHE-RSA-AES256-SHA

As a side note:
This configuration disables IE6 from even viewing your site over SSL, as it does not support TLS1.0+. We also include DES-CBC3-SHA / TLS_RSA_WITH_3DES_EDE_CBC_SHA so that IE8 on Windows XP will work. If you don’t care about IE8/WINXP, then feel free to disable this cipher as well. RC4 was recommended to mitigate against the BEAST attack, but all major browsers have patched against BEAST so we don’t care about that as much any more.

To get an A+ on SSL Labs, have your web server add the following header for sites that are forcing SSL (nginx in this example):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

:, ,
4 comments for this entry:
  1. Kieran

    Thanks, this helped me pass PCI Compliance on AWS ELB.

  2. Daniel Lockard

    No problem! It’s something I’ve been looking forward to implementing for a while, Amazon just made it possible recently :)

  3. Joe

    Thanks for this! Just an FYI, this configuration now yields a B from SSL Labs. If you have the luxury of supporting only modern browsers, you can remove ciphers 7, 8, and 9 on the list the get an A from SSL Labs.

  4. Daniel Lockard

    I’m terrible at looking at my blog comments. I’ll see if I can’t update this soon :)

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...