The perfect AWS ELB SSL Configuration05 Mar 2015
When setting up an Elastic Load Balancers (ELBs) at Amazon Web Services (AWS) with HTTPS listeners, the predefined SSL configuration (currently ELBSecurityPolicy-2015-02) is usually perfectly sufficient.
With this latest policy, outdated and vulnerable protocols such as SSLv2 and SSLv3 are disabled, server order preference is used and outdated vulnerable SSL ciphers such as RC4 are disabled. In tandem with HTTP Strict Transport Security (HSTS), this is a pretty solid setup for your ELB.
But there is a catch.
If you still have users stuck with Windows XP their computer won’t be able to negotiate any cipher it supports with your load balancer, so all of these users are unable to use your service.
The bad option: Use ELBSecurityPolicy-2014-10
Using ELBSecurityPolicy-2014-10 enables the ECDHE-RSA-RC4-SHA and RC4-SHA ciphers, which are supported by Windows XP. Unfortunately RC4 is vulnerable (e.g. Mozilla and Microsoft as well as many others recommend to disable it where possible) and should be avoided at all cost, both to keep users safe as well as to maintain a good rating in your SSL Labs Report.
The good option: Configure your own Security Policy
If you have to support Windows XP clients, you can’t use
ELBSecurityPolicy-2015-02 and you don’t want to use
ELBSecurityPolicy-2014-10 because it’s weak. Luckily there’s the
DES-CBC3-SHA cipher, which is supported by Windows XP and still considered secure.
To use that, you have to create a Security Policy for your load balancer and then activate it for each listener. This can be done with the AWS Command Line tools in two commands.
Update (March, 18th 2015)
The new AWS provided policy
ELBSecurityPolicy-2015-02 also solves this issue:
Create a new Security Policy
To create the security policy (you’ll have to repeat this step for each of your load balancers) run the following command. Make sure to set
Activate your new Security Policy
Now activate the new policy for all of your HTTPS listeners on your load balancers. Make sure to set
Any comments? Ping me on Twitter.