AWS ALB recommendations for Intermediate and Modern need updating #211
Comments
|
There's an open PR #198 to address the issue. @markstuart There's only a slight difference in the intermediate policy chosen, ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 that you recommend Can you elaborate on the difference or maybe review the PR to discuss the ideal setup with the author? |
|
Based on the overview table:
the -Ext1- includes weak suites as In reality it should be the more restricted -Res- policy, to get rid of all the CBC suites… ✅ → #198 (review) |
|
Hi team, TLS13-1-3-2021-06 (TLS v1.3 only) is now supported by ALBs.
|
|
@amznmunchy The support for |
|
@janbrasna Thank you for the update! Classic Load Balancers support the following cipher suites:
|
|
Fixed by #198 |
janbrasna
added
enhancement
|
@amznmunchy Thanks for the overview. We nonetheless use a custom policy, so we're picking from a different set of available ciphers, for ELB they're FYI defined here: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers |
Intermediate
The awsalb 2019.8.1, intermediate config recommends using the "ELBSecurityPolicy-FS-1-2-Res-2019-08" for the listener ssl policy. That policy doesn't support TLS 1.3, but the intermediate config really should I think.
Matching the recommended protocols and ciphers for nginx 1.17.7, intermediate config, OpenSSL 1.1.1k the ALB listener policy that is the closest looks like ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-protocols-ciphers for cipher coverage in the table.
Modern
The awsalb 2019.8.1, modern config states that "unfortunately, AWS ALB does not support the modern configuration"
Looking at the available listener policies, the only one that AWS provides that restricts to TLS1.3 only is "ELBSecurityPolicy-TLS13-1-3-2021-06"
The text was updated successfully, but these errors were encountered: