-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS ALB recommendations for Intermediate and Modern need updating #211
Comments
There's an open PR #198 to address the issue. @markstuart There's only a slight difference in the intermediate policy chosen, ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 that you recommend Can you elaborate on the difference or maybe review the PR to discuss the ideal setup with the author? |
Based on the overview table: the -Ext1- includes weak suites as In reality it should be the more restricted -Res- policy, to get rid of all the CBC suites… ✅ → #198 (review) |
@amznmunchy The support for |
@janbrasna Thank you for the update! Classic Load Balancers support the following cipher suites: |
Fixed by #198 |
@amznmunchy Thanks for the overview. We nonetheless use a custom policy, so we're picking from a different set of available ciphers, for ELB they're FYI defined here: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers |
Intermediate
The awsalb 2019.8.1, intermediate config recommends using the "ELBSecurityPolicy-FS-1-2-Res-2019-08" for the listener ssl policy. That policy doesn't support TLS 1.3, but the intermediate config really should I think.
Matching the recommended protocols and ciphers for nginx 1.17.7, intermediate config, OpenSSL 1.1.1k the ALB listener policy that is the closest looks like ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-protocols-ciphers for cipher coverage in the table.
Modern
The awsalb 2019.8.1, modern config states that "unfortunately, AWS ALB does not support the modern configuration"
Looking at the available listener policies, the only one that AWS provides that restricts to TLS1.3 only is "ELBSecurityPolicy-TLS13-1-3-2021-06"
The text was updated successfully, but these errors were encountered: