search

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
362 stars 60 forks source link

AWS ALB recommendations for Intermediate and Modern need updating #211

Closed markstuart closed 1 day ago

markstuart commented 10 months ago

Intermediate

The awsalb 2019.8.1, intermediate config recommends using the "ELBSecurityPolicy-FS-1-2-Res-2019-08" for the listener ssl policy. That policy doesn't support TLS 1.3, but the intermediate config really should I think.

Matching the recommended protocols and ciphers for nginx 1.17.7, intermediate config, OpenSSL 1.1.1k the ALB listener policy that is the closest looks like ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-protocols-ciphers for cipher coverage in the table.

Modern

The awsalb 2019.8.1, modern config states that "unfortunately, AWS ALB does not support the modern configuration"

Looking at the available listener policies, the only one that AWS provides that restricts to TLS1.3 only is "ELBSecurityPolicy-TLS13-1-3-2021-06"

janbrasna commented 9 months ago

There's an open PR #198 to address the issue.

@markstuart There's only a slight difference in the intermediate policy chosen,

ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 that you recommend vs. ELBSecurityPolicy-TLS13-1-2-2021-06 in the PR

Can you elaborate on the difference or maybe review the PR to discuss the ideal setup with the author?

janbrasna commented 8 months ago

Based on the overview table:

Screen Shot 2024-02-02 at 17 41 57

the -Ext1- includes weak suites as TLS_RSA_WITH_AES_128_CBC_SHA256 or TLS_RSA_WITH_AES_128_GCM_SHA256 so that shouldn't be used. 🚫

In reality it should be the more restricted -Res- policy, to get rid of all the CBC suites… ✅ → https://github.com/mozilla/ssl-config-generator/pull/198#pullrequestreview-1859692898

amznmunchy commented 7 months ago

Hi team, TLS13-1-3-2021-06 (TLS v1.3 only) is now supported by ALBs.

Screenshot 2024-02-29 at 8 58 27 am

janbrasna commented 7 months ago

@amznmunchy The support for modern (TLSv1.3 only) is being added in https://github.com/mozilla/ssl-config-generator/pull/198. We're also looking into updates for ELB, would you mind checking https://github.com/mozilla/ssl-config-generator/issues/84#issuecomment-1949466949 if you have access to the cli to get the supported ciphers? Thanks.

amznmunchy commented 7 months ago

@janbrasna Thank you for the update! Classic Load Balancers support the following cipher suites:

Screenshot 2024-02-29 at 1 12 42 pm

gstrauss commented 1 day ago

Fixed by #198