Closed markstuart closed 1 month ago
janbrasna
commented
11 months ago There's an open PR #198 to address the issue.
@markstuart There's only a slight difference in the intermediate policy chosen,
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 that you recommend vs. ELBSecurityPolicy-TLS13-1-2-2021-06 in the PR
Can you elaborate on the difference or maybe review the PR to discuss the ideal setup with the author?
janbrasna
commented
9 months ago Based on the overview table:
the -Ext1- includes weak suites as TLS_RSA_WITH_AES_128_CBC_SHA256 or TLS_RSA_WITH_AES_128_GCM_SHA256 so that shouldn't be used. 🚫
In reality it should be the more restricted -Res- policy, to get rid of all the CBC suites… ✅ → https://github.com/mozilla/ssl-config-generator/pull/198#pullrequestreview-1859692898
amznmunchy
commented
9 months ago Hi team, TLS13-1-3-2021-06 (TLS v1.3 only) is now supported by ALBs.
janbrasna
commented
9 months ago @amznmunchy The support for modern (TLSv1.3 only) is being added in https://github.com/mozilla/ssl-config-generator/pull/198. We're also looking into updates for ELB, would you mind checking https://github.com/mozilla/ssl-config-generator/issues/84#issuecomment-1949466949 if you have access to the cli to get the supported ciphers? Thanks.
amznmunchy
commented
9 months ago @janbrasna Thank you for the update! Classic Load Balancers support the following cipher suites:
gstrauss
commented
1 month ago Fixed by #198
janbrasna
commented
1 month ago @amznmunchy Thanks for the overview. We nonetheless use a custom policy, so we're picking from a different set of available ciphers, for ELB they're FYI defined here: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers (as the predefined policies for ELBs are nowhere near the ones we use for ALBs, so we have to build custom ones for Classic…)
Intermediate
The awsalb 2019.8.1, intermediate config recommends using the "ELBSecurityPolicy-FS-1-2-Res-2019-08" for the listener ssl policy. That policy doesn't support TLS 1.3, but the intermediate config really should I think.
Matching the recommended protocols and ciphers for nginx 1.17.7, intermediate config, OpenSSL 1.1.1k the ALB listener policy that is the closest looks like ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-protocols-ciphers for cipher coverage in the table.
Modern
The awsalb 2019.8.1, modern config states that "unfortunately, AWS ALB does not support the modern configuration"
Looking at the available listener policies, the only one that AWS provides that restricts to TLS1.3 only is "ELBSecurityPolicy-TLS13-1-3-2021-06"