Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awselb 2014.2.19, intermediate config supports weak DH parameters #84

Open
sonicdoe opened this issue Feb 26, 2020 · 11 comments
Open

awselb 2014.2.19, intermediate config supports weak DH parameters #84

sonicdoe opened this issue Feb 26, 2020 · 11 comments
Assignees
@janbrasna
Labels
documentation Write down all the things feedback Things to learn from P1 Priority: 1 S2 Severity: 2

Comments

@sonicdoe
Copy link
Contributor

The awselb 2014.2.19, intermediate config supports weak Diffie-Hellman (DH) key exchange parameters, capping the Qualys SSL Labs grade to B.

As far as I know, Classic Load Balancers always use 1024-bit keys and Amazon Web Services instead recommends disabling DHE cipher suites. See Announcement: Announcing ELB security update to disable Diffie-Hellman key agreement from May 2015.
@april
Copy link
Contributor

april commented Mar 4, 2020

Yeah, there's not a ton I can do there. Thankfully it's pretty unlikely for DHE to be selected for almost any client these days.

Do you have any suggestions?

@sonicdoe
Copy link
Contributor Author

sonicdoe commented Mar 5, 2020
edited
Loading

We could use a different set of cipher suites for Classic Load Balancers. For example, for Application Load Balancers, we use the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy (because we can’t define our own) which does not include any DHE cipher suites.

@april
Copy link
Contributor

april commented Mar 5, 2020

Yes, but I don't think it's necessarily great to have a completely different set of cipher suites for just one specific server. ELB is different in that it doesn't give you a choice, but it otherwise makes it incredibly hard to support and be correct with what clients are supported.

Keep in mind that DHE is already only going to be negotiated for IE11 Clients on Windows 7, so it's a pretty small group, and assuming Amazon frequently rotates DH parameters, it's unlikely to be a significant problem.

I would be fine adding a note to the ALB config to indicate that AWS uses weak DH paramaters.

@april
Copy link
Contributor

april commented Mar 5, 2020

For example, you can see that the HTTP Observatory backend is using this ALB:
https://www.ssllabs.com/ssltest/analyze.html?d=http%2dobservatory.security.mozilla.org&s=52.203.134.155&latest

And only IE11 negotiated this.

@sonicdoe
Copy link
Contributor Author

sonicdoe commented Mar 7, 2020

I’m also concerned with the perception of this configuration. If one configures their Classic Load Balancer with the intermediate config, they might be surprised and feel uncomfortable with receiving a warning on SSL Labs (which also caps the grade to B).

How about using the exact same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.

@janbrasna
Copy link
Collaborator

Well there's manually maintained list of ciphers for awselb in config anyways:

ssl-config-generator/src/js/configs.js

Line 31 in 454a235

supportedCiphers: ['ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES128-SHA', 'DHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'AES128-GCM-SHA256', 'AES128-SHA256', 'AES128-SHA', 'AES256-GCM-SHA384', 'AES256-SHA256', 'AES256-SHA', 'DHE-DSS-AES128-SHA', 'CAMELLIA128-SHA', 'EDH-RSA-DES-CBC3-SHA', 'DES-CBC3-SHA', 'ECDHE-RSA-RC4-SHA', 'RC4-SHA', 'ECDHE-ECDSA-RC4-SHA', 'DHE-DSS-AES256-GCM-SHA384', 'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES256-SHA256', 'DHE-DSS-AES256-SHA256', 'DHE-RSA-AES256-SHA', 'DHE-DSS-AES256-SHA', 'DHE-RSA-CAMELLIA256-SHA', 'DHE-DSS-CAMELLIA256-SHA', 'CAMELLIA256-SHA', 'EDH-DSS-DES-CBC3-SHA', 'DHE-DSS-AES128-GCM-SHA256', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES128-SHA256', 'DHE-DSS-AES128-SHA256', 'DHE-RSA-CAMELLIA128-SHA', 'DHE-DSS-CAMELLIA128-SHA', 'ADH-AES128-GCM-SHA256', 'ADH-AES128-SHA', 'ADH-AES128-SHA256', 'ADH-AES256-GCM-SHA384', 'ADH-AES256-SHA', 'ADH-AES256-SHA256', 'ADH-CAMELLIA128-SHA', 'ADH-CAMELLIA256-SHA', 'ADH-DES-CBC3-SHA', 'ADH-DES-CBC-SHA', 'ADH-RC4-MD5', 'ADH-SEED-SHA', 'DES-CBC-SHA', 'DHE-DSS-SEED-SHA', 'DHE-RSA-SEED-SHA', 'EDH-DSS-DES-CBC-SHA', 'EDH-RSA-DES-CBC-SHA', 'IDEA-CBC-SHA', 'RC4-MD5', 'SEED-SHA', 'DES-CBC3-MD5', 'DES-CBC-MD5', 'RC2-CBC-MD5', 'PSK-AES256-CBC-SHA', 'PSK-3DES-EDE-CBC-SHA', 'KRB5-DES-CBC3-SHA', 'KRB5-DES-CBC3-MD5', 'PSK-AES128-CBC-SHA', 'PSK-RC4-SHA', 'KRB5-RC4-SHA', 'KRB5-RC4-MD5', 'KRB5-DES-CBC-SHA', 'KRB5-DES-CBC-MD5', 'EXP-EDH-RSA-DES-CBC-SHA', 'EXP-EDH-DSS-DES-CBC-SHA', 'EXP-ADH-DES-CBC-SHA', 'EXP-DES-CBC-SHA', 'EXP-RC2-CBC-MD5', 'EXP-KRB5-RC2-CBC-SHA', 'EXP-KRB5-DES-CBC-SHA', 'EXP-KRB5-RC2-CBC-MD5', 'EXP-KRB5-DES-CBC-MD5', 'EXP-ADH-RC4-MD5', 'EXP-RC4-MD5', 'EXP-KRB5-RC4-SHA', 'EXP-KRB5-RC4-MD5'],

so a quick hack might be just removing the DHE values intentionally if we know they only use short keys, and they won't be matched for output then… (but that would kill them off for both intermediate AND old which is probably not the ideal outcome:/…)

BTW the available cipher list hasn't been updated in a while, too. It'd be great if anyone could check the current output of

aws elb describe-load-balancer-policies --query "PolicyDescriptions[?PolicyName=='ELBSample-ELBDefaultCipherPolicy'].PolicyAttributeDescriptions[*].AttributeName[]"

if there's any change.

@janbrasna janbrasna mentioned this issue Feb 28, 2024
Closed
@gstrauss

This comment was marked as outdated.

Sign in to view
@gstrauss gstrauss closed this as completed Oct 4, 2024
@janbrasna janbrasna reopened this Oct 4, 2024
@janbrasna

This comment was marked as outdated.

Sign in to view
@janbrasna janbrasna self-assigned this Oct 8, 2024
@janbrasna janbrasna added documentation Write down all the things feedback Things to learn from P1 Priority: 1 S2 Severity: 2 labels Oct 8, 2024
@janbrasna
Copy link
Collaborator

The AWS announcement 3061 also mentioned:

"At present ELB load balancers use a 1024-bit DHE key size. This size is also being updated to 2048-bit, however we recommend using ECDHE where available due to greater cryptographic strength and speedier operation."

Nonetheless I wasn't able to find any further reference if that key size update really happened and what is in use today.

I will look into adding a comment to the output, mentioning possible short keys and a hint to remove DHE lines if the kind of compatibility is not necessary for given consumer.

How about using the exact same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.

Oh the issue is ELBs don't support those policies at all, see the list: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html#tls-protocols

@sonicdoe
Copy link
Contributor Author

How about using the exact same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.

Oh the issue is ELBs don't support those policies at all, see the list: docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html#tls-protocols

As far as I understand, this is only the list of predefined security policies. You can always create a custom security policy. Could we create a custom policy that uses the same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 policy (which is indeed not available as a predefined policy for Classic Load Balancers)?

@janbrasna
Copy link
Collaborator

janbrasna commented Oct 13, 2024
edited
Loading

I'm not sure they support the same cipher suites to construct the equivalent policy (we're now on ELBSecurityPolicy-TLS13-1-2-Res-2021-06, and that's only "close enough" to the intermediate here, rather sparse on tls12/rsa side of things), but will check — I'm looking into addressing this issue very soon, but I'm hitting outdated/missing docs everywhere I look…;) What's available for Classic should be: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers

@sonicdoe Would you mind running aws elb describe-load-balancer-policies --query "PolicyDescriptions[?PolicyName=='ELBSample-ELBDefaultCipherPolicy'].PolicyAttributeDescriptions[*].AttributeName[]" if you're an elb user, to check that has the same list, please?

BTW if anyone has some ELB instance available, configured with moz intermediate, and would be able to check the DH size — so that we know for sure if it's stuck on 1024 or updated to 2048 as promised (thus resolving this)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@janbrasna janbrasna

Labels
documentation Write down all the things feedback Things to learn from P1 Priority: 1 S2 Severity: 2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@april @sonicdoe @gstrauss @janbrasna