The situation: background
A while back, I wrote an article on strong SSL configuration for NginX which was the result of many hours of research and trial. I need to update that article as one of the articles I referenced is on raymii.org and has been updated since and is basically has better advice than my article - so a big thanks to Remy.
Anyway, I'm currently in the final phase of architecting a new social network site hosting infrastructure and deployment strategy and am now pinning down the finer details. I've had a lot of input into this project and thus have insisted on HTTPS throughout, so naturally I wanted to ensure it's strongly configured. To this end, I have spent some time this afternoon essentially porting Remy's recommendations (in as much as possible in this case) over to AWS to form an ELB (Elastic Load Balancer) configuration.
The recommended ciphers from Remy's article are (naturally) specified as an openSSL cipher string whic NginX can use:
AES256+EECDH:AES256+EDH. This is exactly what's needed for NginX but does not match the explicit cipher listing on AWS ELB in the web console. So, I used the Qualys SSL certificate checker output from my own website and looked up the resulting ciphers on openssl.org cipher name listing page and then configured my ELB with that and ran the Qualys test. The result is an A grade, pretty respectable:
So the AWS ELB configuration is actually quite simple, just follow these steps when you get to the SSL configuration part of the AWS ELB setup or when you're editing your existing ELB listener (click the "Change" hyperlink under the "Ciphers" heading in the grid listing of your ELBs for the relevant ELB):
Select "Custom security policy" (if not already selected) - this will allow you to configure the protocols etc. properly:
Disable SSLv2 and SSLv3, enable TLSv1.0, TLSv1.1, TLSv1.2:
You'll need TLSv1.0 for IE <11.
There's only one option in the SSL options, "Server Order Preference" - you want this:
Next up is the critical part, selecting the ciphers, we want (only):
So deselect everything else.
Now you'll just need to either apply your changes (if you were editing an existing ELB) or finish the wizard if you started from scratch.
I haven't detailed out exactly how this would be specified via cloudformation or the AWS API as yet but when I do, I'll update this article.
Once again, thanks to Remy van Elst for the article that fed this.
I should note that my ELB is in pure TCP mode as I'm running websockets over it so it has to be layer 3 only (not HTTPS).