search

mozilla / identity-ops

Tools and Chef cookbooks used by Mozilla Services Operations to provision and manage Persona
Other
24 stars 12 forks source link

Add ECDHE ciphers and set to true, should enable pfs #150

Open jdotpz opened 10 years ago

jdotpz commented 10 years ago

http://aws.amazon.com/blogs/aws/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements

gene1wood commented 10 years ago

@jvehent JP of MoFo has identified some new ciphers. Want to weigh in on this?

jvehent commented 10 years ago

The ciphers are good. How does the script deal with the ciphersuite ordering? The default ELB policy has strong ordering to prefer some ciphers, and we want that as well, but I don't see how it's applied in the script.

jdotpz commented 10 years ago

I just added in a bit to include that setting, and elb's I use it against are coming back with an A rating. https://www.ssllabs.com/ssltest/analyze.html?d=forum.mozillascience.org

jvehent commented 10 years ago

Beautiful! r+

jvehent commented 10 years ago

@jdotpz : Do you have a public endpoint I can take a look at?

jdotpz commented 10 years ago

screen shot 2014-05-27 at 6 25 21 pm

jdotpz commented 10 years ago

webmaker.org popcorn.webmaker.org forum.mozillascience.org badgekit.org goggles.webmaker.org fundraising.mozilla.com

jvehent commented 10 years ago

/me likes !

$ ./cipherscan popcorn.webmaker.org
......................
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits
3     ECDHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
4     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits
5     ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits
6     ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
10    AES256-GCM-SHA384            TLSv1.2
11    AES256-SHA256                TLSv1.2
12    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
13    DHE-RSA-AES128-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
14    CAMELLIA128-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2
15    RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
16    DHE-RSA-AES256-GCM-SHA384    TLSv1.2                      DH,1024bits
17    DHE-RSA-AES256-SHA256        TLSv1.2                      DH,1024bits
18    DHE-RSA-AES256-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
19    CAMELLIA256-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2
20    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                      DH,1024bits
21    DHE-RSA-AES128-SHA256        TLSv1.2                      DH,1024bits

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
jvehent commented 10 years ago

Note to self: replace RC4 with 3DES.

jdotpz commented 10 years ago

screen shot 2014-05-27 at 6 33 33 pm screen shot 2014-05-27 at 6 33 27 pm screen shot 2014-05-27 at 6 33 14 pm screen shot 2014-05-27 at 6 31 19 pm screen shot 2014-05-27 at 6 31 11 pm screen shot 2014-05-27 at 6 31 02 pm screen shot 2014-05-27 at 6 30 54 pm

gene1wood commented 10 years ago

As some context, everything other than Persona is currently using the AWS defined ELBSecurityPolicy-2014-01 ciphersuite as mentioned here

jvehent commented 10 years ago

AWS default policy is decent. But in the future, I'd like to have 2 configurations: one that has SSL3 for backward compatible sites, and one that doesn't. We could disable SSL3 and TLS1, as well as RC4 and 3DES entirely. Maybe even enable PFS only ciphersuite. I'll try to work on this in Q3.