april
commented
4 years ago Yeah, there's not a ton I can do there. Thankfully it's pretty unlikely for DHE to be selected for almost any client these days.
Do you have any suggestions?
Open sonicdoe opened 4 years ago
april
commented
4 years ago Yeah, there's not a ton I can do there. Thankfully it's pretty unlikely for DHE to be selected for almost any client these days.
Do you have any suggestions?
sonicdoe
commented
4 years ago We could use a different set of cipher suites for Classic Load Balancers. For example, for Application Load Balancers, we use the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy (because we can’t define our own) which does not include any DHE cipher suites.
april
commented
4 years ago Yes, but I don't think it's necessarily great to have a completely different set of cipher suites for just one specific server. ELB is different in that it doesn't give you a choice, but it otherwise makes it incredibly hard to support and be correct with what clients are supported.
Keep in mind that DHE is already only going to be negotiated for IE11 Clients on Windows 7, so it's a pretty small group, and assuming Amazon frequently rotates DH parameters, it's unlikely to be a significant problem.
I would be fine adding a note to the ALB config to indicate that AWS uses weak DH paramaters.
april
commented
4 years ago For example, you can see that the HTTP Observatory backend is using this ALB: https://www.ssllabs.com/ssltest/analyze.html?d=http%2dobservatory.security.mozilla.org&s=52.203.134.155&latest
And only IE11 negotiated this.
sonicdoe
commented
4 years ago I’m also concerned with the perception of this configuration. If one configures their Classic Load Balancer with the intermediate config, they might be surprised and feel uncomfortable with receiving a warning on SSL Labs (which also caps the grade to B).
How about using the exact same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.
janbrasna
commented
9 months ago Well there's manually maintained list of ciphers for awselb in config anyways:
https://github.com/mozilla/ssl-config-generator/blob/454a2353f0215042d50ec5df574e7fcf2a03a85d/src/js/configs.js#L31
so a quick hack might be just removing the DHE values intentionally if we know they only use short keys, and they won't be matched for output then… (but that would kill them off for both intermediate AND old which is probably not the ideal outcome:/…)
BTW the available cipher list hasn't been updated in a while, too. It'd be great if anyone could check the current output of
aws elb describe-load-balancer-policies --query "PolicyDescriptions[?PolicyName=='ELBSample-ELBDefaultCipherPolicy'].PolicyAttributeDescriptions[*].AttributeName[]"if there's any change.
gstrauss
commented
1 month ago Fixed in #198.
janbrasna
commented
1 month ago (No resolution for ELB sadly, that might come in a form of an updated browser support in future recommendations' version, dropping DHE suites altogether; but for now the intermediate output still contains them. Perhaps a comment added to let consumers know they might remove them if they see it appropriate for their audience might be worth it?)
janbrasna
commented
1 month ago The AWS announcement 3061 also mentioned:
"At present ELB load balancers use a 1024-bit DHE key size. This size is also being updated to 2048-bit, however we recommend using ECDHE where available due to greater cryptographic strength and speedier operation."
Nonetheless I wasn't able to find any further reference if that key size update really happened and what is in use today.
I will look into adding a comment to the output, mentioning possible short keys and a hint to remove DHE lines if the kind of compatibility is not necessary for given consumer.
How about using the exact same cipher suites as the
ELBSecurityPolicy-FS-1-2-Res-2019-08security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.
Oh the issue is ELBs don't support those policies at all, see the list: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html#tls-protocols
sonicdoe
commented
1 month ago How about using the exact same cipher suites as the
ELBSecurityPolicy-FS-1-2-Res-2019-08security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.Oh the issue is ELBs don't support those policies at all, see the list: docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html#tls-protocols
As far as I understand, this is only the list of predefined security policies. You can always create a custom security policy. Could we create a custom policy that uses the same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 policy (which is indeed not available as a predefined policy for Classic Load Balancers)?
janbrasna
commented
1 month ago I'm not sure they support the same cipher suites to construct the equivalent policy (we're now on ELBSecurityPolicy-TLS13-1-2-Res-2021-06, and that's only "close enough" to the intermediate here, rather sparse on tls12/rsa side of things), but will check — I'm looking into addressing this issue very soon, but I'm hitting outdated/missing docs everywhere I look…;) What's available for Classic should be: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers
(However that doesn't match what was being used for configuring the intersections of cipher settings, as aws elb describe-load-balancer-policies --query "PolicyDescriptions[?PolicyName=='ELBSample-ELBDefaultCipherPolicy'].PolicyAttributeDescriptions[*].AttributeName[]" returns a different list; I will probably just compare what's available in the UI for selecting the policy at AWS…)
Does someone here have any ELB instance available from outside, configured with moz intermediate, and would be able to check the DH size — so that we know for sure if it's stuck on 1024 or updated to 2048 as promised (thus resolving this)?
janbrasna
commented
1 week ago So I went ahead and set up a few EC2 instances to check the key exchange — and unfortunately it's still 1024b almost 10 years later — so we really should be excluding them at least from intermediate (or, basically, set the condition in a way that when dhParamSize exceeds 1024 the FFDHE suites must be excluded for Classic ELB.)
```sh ~ % openssl s_client -connect ffdh-test-15538***93.us-east-1.elb.amazonaws.com:443 -cipher '@SECLEVEL=1:DHE-RSA-AES256-GCM-SHA384' Connecting to 54.84.2*1.35 CONNECTED(00000006) […] verify return:1 --- a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 9 18:28:27 2024 GMT; NotAfter: Nov 9 18:28:27 2025 GMT --- Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: DH, 1024 bits --- ~ * ~ * ~ * ~ * ^^^^^^^^^^^^^ … !!! ~ * ~ * ~ * ~ --- New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384 Protocol: TLSv1.2 Server public key is 2048 bit Secure Renegotiation IS supported SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 9A815AF…BA02C611C05 Session-ID-ctx: Master-Key: 11EC4B66596…CC1C0188463C178 Extended master secret: no --- ```
SSL protocols ``` Protocol-TLSv1 Protocol-SSLv3 Protocol-TLSv1.1 Protocol-TLSv1.2 ``` SSL options ``` Server order preference ``` SSL ciphers ``` ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-DSS-AES128-SHA CAMELLIA128-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-RC4-SHA RC4-SHA ECDHE-ECDSA-RC4-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA CAMELLIA256-SHA EDH-DSS-DES-CBC3-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ADH-AES128-GCM-SHA256 ADH-AES128-SHA ADH-AES128-SHA256 ADH-AES256-GCM-SHA384 ADH-AES256-SHA ADH-AES256-SHA256 ADH-CAMELLIA128-SHA ADH-CAMELLIA256-SHA ADH-DES-CBC3-SHA ADH-DES-CBC-SHA ADH-RC4-MD5 ADH-SEED-SHA DES-CBC-SHA DHE-DSS-SEED-SHA DHE-RSA-SEED-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA IDEA-CBC-SHA RC4-MD5 SEED-SHA DES-CBC3-MD5 DES-CBC-MD5 RC2-CBC-MD5 PSK-AES256-CBC-SHA PSK-3DES-EDE-CBC-SHA KRB5-DES-CBC3-SHA KRB5-DES-CBC3-MD5 PSK-AES128-CBC-SHA PSK-RC4-SHA KRB5-RC4-SHA KRB5-RC4-MD5 KRB5-DES-CBC-SHA KRB5-DES-CBC-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-KRB5-RC2-CBC-SHA EXP-KRB5-DES-CBC-SHA EXP-KRB5-RC2-CBC-MD5 EXP-KRB5-DES-CBC-MD5 EXP-ADH-RC4-MD5 EXP-RC4-MD5 EXP-KRB5-RC4-SHA EXP-KRB5-RC4-MD5 ```
janbrasna
commented
1 week ago @sonicdoe 🤙 FYI let me know how you'd like https://fix-awselb-dhe--mozsslconf-dev.netlify.app/#server=awselb (preview/WIP), that basically keeps the list complete, allowing folks to flip the switch if they know what they are doing, but lists those as disabled with some rationale added…
The awselb 2014.2.19, intermediate config supports weak Diffie-Hellman (DH) key exchange parameters, capping the Qualys SSL Labs grade to B.
As far as I know, Classic Load Balancers always use 1024-bit keys and Amazon Web Services instead recommends disabling DHE cipher suites. See Announcement: Announcing ELB security update to disable Diffie-Hellman key agreement from May 2015.