Login/Register
AWS ALB - prevent usage of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Asked Answered
Solved amazon-web-servicestls1.2amazon-elb
K

2

8

I use AWS ALB. I configured it to the strictest security policy which is "FS 1.2 res" and as described here it still supports ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384

(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)

These are considered weak. Is there a way to avoid supporting them while using AWS?

Update: AWS added ELBSecurityPolicy-FS-1-2-Res-2020-10 that answers the need

Kilian answered 14/7, 2020 at 17:22 Comment(1)
AWS added a security policy soon after you asked this question, that has no weak ciphers: ELBSecurityPolicy-FS-1-2-Res-2020-10Bora
K
8

This is the formal answer from AWS

Unfortunately, I regret to say that there isn’t any predefined Security Policy which you can use to avoid supporting the aforementioned weak ciphers in case of both Application Load Balancer (ALB) or Network Load Balancer (NLB). Also, currently ALB or NLB do not support custom security policies.

Having said that, I would like to inform you that there is an active feature request already in place to have an ability to attach custom security policy to an ALB. I can assure you our service team is actively working to add this feature to ALB. We have an internal request to track the feature and I've added your voice to the request to expedite the process. However, I don't have any ETA as when this feature request will be released due to various validation and regression testing process that all the feature requests go through.

Workaround:

For now the only workaround would be to use a Classic Load Balancer(CLB), which supports attaching Custom security policies[1] and you can also enable Server Order Preference[2]. In this case, the ELB selects the first cipher in its list that is in the client's list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.

However, please note that CLB does not offer robust features as ALB.

Update: AWS added ELBSecurityPolicy-FS-1-2-Res-2020-10 that answers the need

Kilian answered 23/8, 2020 at 18:29 Comment(2)
This is pretty crazy, given that this is a proven and published weak algo, not providing a solution that's easy to apply is a risk to large portion of the internet. I am surprised they don't just remove this algorithm from the built in policy, surely the impact would be less than leaving it in, given the risk.Callihan
As of October 2020 you can use the ELBSecurityPolicy-FS-1-2-Res-2020-10 which does not allow ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384 docs.aws.amazon.com/elasticloadbalancing/latest/application/…Mikey
M
1

If you use an ALB you're limited to the security policies as they are.

CloudFronts policies also enforce this cipher suite with their policies this so you would not be able to get around it this way.

Although they're now legacy, classic load balancers do have a feature that allows you configure a security policy on your load balancer rather than being bound to a predefined one.

Alternatively if you do not want to use this you would need to use a Network Load Balancer (either replacing the ALB or in front of a proxy that sits in front of your ALB). By using an NLB your target host can define cipher suites and TLS versions.

Melanochroi answered 14/7, 2020 at 17:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.