Achieving grade A SSL certificate configuration on AWS ELB

TL;DR

The situation: background

A while back, I wrote an article on strong SSL configuration for NginX which was the result of many hours of research and trial. I need to update that article as one of the articles I referenced is on raymii.org and has been updated since and is basically has better advice than my article - so a big thanks to Remy.

Anyway, I'm currently in the final phase of architecting a new social network site hosting infrastructure and deployment strategy and am now pinning down the finer details. I've had a lot of input into this project and thus have insisted on HTTPS throughout, so naturally I wanted to ensure it's strongly configured. To this end, I have spent some time this afternoon essentially porting Remy's recommendations (in as much as possible in this case) over to AWS to form an ELB (Elastic Load Balancer) configuration.

The recommended ciphers from Remy's article are (naturally) specified as an openSSL cipher string whic NginX can use: AES256+EECDH:AES256+EDH. This is exactly what's needed for NginX but does not match the explicit cipher listing on AWS ELB in the web console. So, I used the Qualys SSL certificate checker output from my own website and looked up the resulting ciphers on openssl.org cipher name listing page and then configured my ELB with that and ran the Qualys test. The result is an A grade, pretty respectable:

The ELB configuration

So the AWS ELB configuration is actually quite simple, just follow these steps when you get to the SSL configuration part of the AWS ELB setup or when you're editing your existing ELB listener (click the "Change" hyperlink under the "Ciphers" heading in the grid listing of your ELBs for the relevant ELB):

Security policy

Select "Custom security policy" (if not already selected) - this will allow you to configure the protocols etc. properly:

Protocols

Disable SSLv2 and SSLv3, enable TLSv1.0, TLSv1.1, TLSv1.2:

You'll need TLSv1.0 for IE <11.

SSL options

There's only one option in the SSL options, "Server Order Preference" - you want this:

Ciphers

Next up is the critical part, selecting the ciphers, we want (only):

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA

So deselect everything else.

Finishing up

Now you'll just need to either apply your changes (if you were editing an existing ELB) or finish the wizard if you started from scratch.

Cloudformation/API

I haven't detailed out exactly how this would be specified via cloudformation or the AWS API as yet but when I do, I'll update this article.

Footnote

Once again, thanks to Remy van Elst for the article that fed this.

I should note that my ELB is in pure TCP mode as I'm running websockets over it so it has to be layer 3 only (not HTTPS).