Which SSL ciphers for PCI compliance on Amazon AWS ELB?

Asked 23/2, 2012 at 18:54 Answered 13/2, 2013 at 14:25

Solved amazon-web-services pci-compliance amazon-elb

We're trying for PCI compliance on a load balanced EC2 instance on AWS. One issue we have to resolve is our load balancer accepts weak ciphers. However, ELB doesn't support the cipher suite, so I have to manually set each cipher one by one. Problem is, I can't find a list of what qualifies as a strong cipher. For example, which ciphers does this setting translate to:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

It's surprisingly hard to find this information, and amazon doesn't have a default PCI compliant setting (which seems so silly - they have two default policies, why not have a third called "Strong PCI" or something).

Byline answered 23/2, 2012 at 18:54 Comment(0)

Update/Hint: Please make sure to read Seamus' follow up comments as well to ease your way towards PCI certification of an ELB setup, insofar picking the correct SSL ciphers turned out to be one part of the puzzle only.

Quite a puzzle - a default PCI compliant Elastic Load Balancing (ELB) setting would be extremely helpful indeed ;)

You can find all these tags deciphered in the Apache documentation of the SSLCipherSuite directive, e.g.:

!aNULL - not No authentication
!ADH - not all ciphers using Anonymous Diffie-Hellman key exchange
!eNULL - not No encoding
...

This should allow you to translate them to the respective ELB settings as discussed in Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication and Configuring SSL Ciphers specifically.

Good luck!

Hiltan answered 23/2, 2012 at 19:47 Comment(3)

I found a couple very helpful links for those pursuing this problem: A list of ciphers and their respective strengths: drjohnstechtalk.com/blog/2011/09/… A post about how to adjust your load balancer settings using the command line tools with an example: forums.aws.amazon.com/message.jspa?messageID=276031 Using the command line tools, you can add a policy that eliminates one by one the offending ciphers. – Byline 23/2, 2012 at 21:40

Well, we got our PCI certification, but not without many trials and errors. A couple tips: -Make sure you're scanning your domain, not your IP (if you're using a load balancer). Additionally, make sure you tighten up your server, even if it's behind the load balancer. If they connect to your IP it'll bypass the LB -Make sure you leave open all the 256 ciphers and at least one or two 128s, or you'll have issues with IE8 and lower being able to connect. -Remember to APPLY your policy after you CREATE your policy by setting it to listen to post 443. – Byline 28/2, 2012 at 18:31

@SeamusJames: Thanks for following up with these details to guide future readers, much appreciated - Your tips could help others to save quite some time in similar scenarios, I've updated my answer with a respective pointer accordingly! – Hiltan 28/2, 2012 at 19:19

I found the following settings for AWS ELB SSL Ciphers passed the PCI compliance scan we use:

Protocols: SSLv3, TLSv1

Ciphers: CAMELLIA128-SHA, CAMELLIA256-SHA, KRB5-RC4-MD5, KRB5-RC4-SHA, RC4-MD5, RC4-SHA, SEED-SHA

In addition, I found this website helpful to verify the protocols / ciphers running: https://www.ssllabs.com/ssltest/index.html

Slype answered 13/2, 2013 at 14:25 Comment(0)

Recommended topics

Hot tags