The perfect AWS ELB SSL Configuration

When setting up an Elastic Load Balancers (ELBs) at Amazon Web Services (AWS) with HTTPS listeners, the predefined SSL configuration (currently ELBSecurityPolicy-2015-02) is usually perfectly sufficient.

With this latest policy, outdated and vulnerable protocols such as SSLv2 and SSLv3 are disabled, server order preference is used and outdated vulnerable SSL ciphers such as RC4 are disabled. In tandem with HTTP Strict Transport Security (HSTS), this is a pretty solid setup for your ELB.

But there is a catch.

If you still have users stuck with Windows XP their computer won’t be able to negotiate any cipher it supports with your load balancer, so all of these users are unable to use your service.


The bad option: Use ELBSecurityPolicy-2014-10

Using ELBSecurityPolicy-2014-10 enables the ECDHE-RSA-RC4-SHA and RC4-SHA ciphers, which are supported by Windows XP. Unfortunately RC4 is vulnerable (e.g. Mozilla and Microsoft as well as many others recommend to disable it where possible) and should be avoided at all cost, both to keep users safe as well as to maintain a good rating in your SSL Labs Report.

The good option: Configure your own Security Policy

If you have to support Windows XP clients, you can’t use ELBSecurityPolicy-2015-02 and you don’t want to use ELBSecurityPolicy-2014-10 because it’s weak. Luckily there’s the DES-CBC3-SHA cipher, which is supported by Windows XP and still considered secure.

To use that, you have to create a Security Policy for your load balancer and then activate it for each listener. This can be done with the AWS Command Line tools in two commands.

Update (March, 18th 2015)

The new AWS provided policy ELBSecurityPolicy-2015-02 also solves this issue:

Create a new Security Policy

To create the security policy (you’ll have to repeat this step for each of your load balancers) run the following command. Make sure to set --load-balancer-name, --policy-name and --region correctly.

aws elb create-load-balancer-policy \
--load-balancer-name myloadbalancer \
--policy-name MySecurityPolicy-2015-03 \
--policy-type-name SSLNegotiationPolicyType \
--region eu-central-1 \
--policy-attributes \
AttributeName=Protocol-TLSv1,AttributeValue=true \
AttributeName=Protocol-TLSv1.1,AttributeValue=true \
AttributeName=Protocol-TLSv1.2,AttributeValue=true \
AttributeName=Server-Defined-Cipher-Order,AttributeValue=true \
AttributeName=ECDHE-ECDSA-AES128-GCM-SHA256,AttributeValue=true \
AttributeName=ECDHE-RSA-AES128-GCM-SHA256,AttributeValue=true \
AttributeName=ECDHE-ECDSA-AES128-SHA256,AttributeValue=true \
AttributeName=ECDHE-RSA-AES128-SHA256,AttributeValue=true \
AttributeName=ECDHE-ECDSA-AES128-SHA,AttributeValue=true \
AttributeName=ECDHE-RSA-AES128-SHA,AttributeValue=true \
AttributeName=DHE-RSA-AES128-SHA,AttributeValue=true \
AttributeName=ECDHE-ECDSA-AES256-GCM-SHA384,AttributeValue=true \
AttributeName=ECDHE-RSA-AES256-GCM-SHA384,AttributeValue=true \
AttributeName=ECDHE-ECDSA-AES256-SHA384,AttributeValue=true \
AttributeName=ECDHE-RSA-AES256-SHA384,AttributeValue=true \
AttributeName=ECDHE-RSA-AES256-SHA,AttributeValue=true \
AttributeName=ECDHE-ECDSA-AES256-SHA,AttributeValue=true \
AttributeName=AES128-GCM-SHA256,AttributeValue=true \
AttributeName=AES128-SHA256,AttributeValue=true \
AttributeName=AES128-SHA,AttributeValue=true \
AttributeName=AES256-GCM-SHA384,AttributeValue=true \
AttributeName=AES256-SHA256,AttributeValue=true \
AttributeName=AES256-SHA,AttributeValue=true \
AttributeName=DHE-DSS-AES128-SHA,AttributeValue=true \
AttributeName=DES-CBC3-SHA,AttributeValue=true

Activate your new Security Policy

Now activate the new policy for all of your HTTPS listeners on your load balancers. Make sure to set --load-balancer-name, --policy-name, --port and --region correctly.

aws elb set-load-balancer-policies-of-listener --load-balancer-name myloadbalancer --load-balancer-port 443 --policy-name MySecurityPolicy-2015-03 --region eu-central-1

That’s it. Now you have a secure SSL configuration for your ELB and still support Windows XP. We use this configuration at fruux (here’s our SSL Labs Report).


Any comments? Ping me on Twitter.