mozilla / server-side-tls

Server side TLS Tools
https://ssl-config.mozilla.org
Mozilla Public License 2.0
1.12k stars 143 forks source link

Generate AWS ELB policies #9

Closed jvehent closed 9 years ago

jvehent commented 9 years ago

It would be great to support AWS ELB policies. One challenge would be to automatically generate the policy based on the openssl ciphersuite. But if that's not possible, simply displaying a static policy would work.

Below is a sample for the intermediate level, courtesy of @ckolos

"Policies":[
  {
    "PolicyName":"Mozilla-Opsec-Intermediate-2014-11-06",
    "PolicyType":"SSLNegotiationPolicyType",
    "Attributes":[
      {"Name":"Protocol-TLSv1" ,                "Value":true },
      {"Name":"Protocol-TLSv1.1" ,              "Value":true },
      {"Name":"Protocol-TLSv1.2" ,              "Value":true },
      {"Name":"Server-Defined-Cipher-Order" ,   "Value":true },
      {"Name": "ECDHE-RSA-AES128-GCM-SHA256",   "Value":true },
      {"Name": "ECDHE-ECDSA-AES128-GCM-SHA256", "Value":true },
      {"Name": "ECDHE-RSA-AES256-GCM-SHA384",   "Value":true },
      {"Name": "ECDHE-ECDSA-AES256-GCM-SHA384", "Value":true },
      {"Name": "DHE-RSA-AES128-GCM-SHA256",     "Value":true },
      {"Name": "DHE-DSS-AES128-GCM-SHA256",     "Value":true },
      {"Name": "kEDH+AESGCM",                   "Value":true },
      {"Name": "ECDHE-RSA-AES128-SHA256",       "Value":true },
      {"Name": "ECDHE-ECDSA-AES128-SHA256",     "Value":true },
      {"Name": "ECDHE-RSA-AES128-SHA",          "Value":true },
      {"Name": "ECDHE-ECDSA-AES128-SHA",        "Value":true },
      {"Name": "ECDHE-RSA-AES256-SHA384",       "Value":true },
      {"Name": "ECDHE-ECDSA-AES256-SHA384",     "Value":true },
      {"Name": "ECDHE-RSA-AES256-SHA",          "Value":true },
      {"Name": "ECDHE-ECDSA-AES256-SHA",        "Value":true },
      {"Name": "DHE-RSA-AES128-SHA256",         "Value":true },
      {"Name": "DHE-RSA-AES128-SHA",            "Value":true },
      {"Name": "DHE-DSS-AES128-SHA256",         "Value":true },
      {"Name": "DHE-RSA-AES256-SHA256",         "Value":true },
      {"Name": "DHE-DSS-AES256-SHA",            "Value":true },
      {"Name": "DHE-RSA-AES256-SHA",            "Value":true },
      {"Name": "AES128-GCM-SHA256",             "Value":true },
      {"Name": "AES256-GCM-SHA384",             "Value":true },
      {"Name": "AES128-SHA256",                 "Value":true },
      {"Name": "AES256-SHA256",                 "Value":true },
      {"Name": "AES128-SHA",                    "Value":true },
      {"Name": "AES256-SHA",                    "Value":true },
      {"Name": "AES",                           "Value":true },
      {"Name": "CAMELLIA",                      "Value":true },
      {"Name": "DES-CBC3-SHA",                  "Value":true }
    ]
  }
]
nbibler commented 9 years ago

+1. While Amazon does update their ELB presets / security policies periodically, it doesn't seem to be often enough (barring a major security issue). This seems to force our hand to use a custom ELB cipher configuration as described above.

gene1wood commented 9 years ago

@jvehent So, custom ordering of cipher's isn't possible in an ELB, you either follow AWS's order or the client's order

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html

If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified in this table to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

Given that, if we use AWS's order "modern" looks like this

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256

instead of

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA

intermediate looks like

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256

instead of

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA
DES-CBC3-SHA

and old looks like this

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256

instead of this

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
DES-CBC3-SHA
HIGH

What impact on these profiles does this re-ordering and the missing ciphers mean?

jvehent commented 9 years ago

Some ciphers will be missing, some ordering will be off and there won't be any OCSP stapling, but that's the tradeoff you get from using ELBs. For the purpose of our configuration generator, it's more important to remove protocols and ciphers that aren't present in a given level than it is to enforce ordering.

nbibler commented 9 years ago

Yeah, ELB doesn't offer much as far as configuration. Pretty much everything beyond the ciphers supported is a black box. So, no OCSP stapling, session timeout modification, dhparam customization, etc.

So, as it stands, the tradeoff with ELB is that you no longer have to maintain those systems/proxies and get rapid or automatic host inclusion or exclusion, but at the cost of significantly slower SSL handshakes. It's no less secure, just less efficient to the client.

gene1wood commented 9 years ago

@jvehent ok, one more question, the AWS ciphersuites have additional ciphers present and included in their defaults which are not present in your list and some of your ciphers are available but not included their default list. Do you want to review those differences and either remove some of yours or include some of theirs that are missing? Or stick with what I've got pasted above?

jvehent commented 9 years ago

The lists are actually almost identical. Ours has some openssl aliases that aren't present in aws's, like kEDH+AESGCM. Those should be discarded. The lists you mention above are correct.

A note about "old": one exception here is that we include ECDHE-ECDSA-DES-CBC3-SHA and ECDHE-RSA-DES-CBC3-SHA and AWS does not. It's probably not relevant, I can't think of any client using these ciphers anyway.

gene1wood commented 9 years ago

One other thing to mention is that the effectively makes ELB ciphersuites for intermediate and old identical.

Should we indicate this by removing intermediate as an option and just showing modern and old (for ELB)?

jvehent commented 9 years ago

The ciphersuites may be identical, but old must accept sslv3 and intermediate must not.

gene1wood commented 9 years ago

Aha, got it. Makes perfect sense.