awselb 2014.2.19, intermediate config supports weak DH parameters

[sonicdoe]

The awselb 2014.2.19, intermediate config supports weak Diffie-Hellman (DH) key exchange parameters, capping the Qualys SSL Labs grade to B.

As far as I know, Classic Load Balancers always use 1024-bit keys and Amazon Web Services instead recommends disabling DHE cipher suites. See Announcement: Announcing ELB security update to disable Diffie-Hellman key agreement from May 2015.

[april]

Yeah, there's not a ton I can do there. Thankfully it's pretty unlikely for DHE to be selected for almost any client these days.

Do you have any suggestions?

[sonicdoe]

We could use a different set of cipher suites for Classic Load Balancers. For example, for Application Load Balancers, we use the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy (because we can’t define our own) which does not include any DHE cipher suites.

[april]

Yes, but I don't think it's necessarily great to have a completely different set of cipher suites for just one specific server. ELB is different in that it doesn't give you a choice, but it otherwise makes it incredibly hard to support and be correct with what clients are supported.

Keep in mind that DHE is already only going to be negotiated for IE11 Clients on Windows 7, so it's a pretty small group, and assuming Amazon frequently rotates DH parameters, it's unlikely to be a significant problem.

I would be fine adding a note to the ALB config to indicate that AWS uses weak DH paramaters.

[april]

For example, you can see that the HTTP Observatory backend is using this ALB:
https://www.ssllabs.com/ssltest/analyze.html?d=http%2dobservatory.security.mozilla.org&s=52.203.134.155&latest

And only IE11 negotiated this.

[sonicdoe]

I’m also concerned with the perception of this configuration. If one configures their Classic Load Balancer with the intermediate config, they might be surprised and feel uncomfortable with receiving a warning on SSL Labs (which also caps the grade to B).

How about using the exact same cipher suites as the ELBSecurityPolicy-FS-1-2-Res-2019-08 security policy we use for Application Load Balancers? This way, we would use the same set for both Application Load Balancers and Classic Load Balancers.

[janbrasna]

Well there's manually maintained list of ciphers for awselb in config anyways:

ssl-config-generator/src/js/configs.js

Line 31 in 454a235

supportedCiphers: ['ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES128-SHA', 'DHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'AES128-GCM-SHA256', 'AES128-SHA256', 'AES128-SHA', 'AES256-GCM-SHA384', 'AES256-SHA256', 'AES256-SHA', 'DHE-DSS-AES128-SHA', 'CAMELLIA128-SHA', 'EDH-RSA-DES-CBC3-SHA', 'DES-CBC3-SHA', 'ECDHE-RSA-RC4-SHA', 'RC4-SHA', 'ECDHE-ECDSA-RC4-SHA', 'DHE-DSS-AES256-GCM-SHA384', 'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES256-SHA256', 'DHE-DSS-AES256-SHA256', 'DHE-RSA-AES256-SHA', 'DHE-DSS-AES256-SHA', 'DHE-RSA-CAMELLIA256-SHA', 'DHE-DSS-CAMELLIA256-SHA', 'CAMELLIA256-SHA', 'EDH-DSS-DES-CBC3-SHA', 'DHE-DSS-AES128-GCM-SHA256', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES128-SHA256', 'DHE-DSS-AES128-SHA256', 'DHE-RSA-CAMELLIA128-SHA', 'DHE-DSS-CAMELLIA128-SHA', 'ADH-AES128-GCM-SHA256', 'ADH-AES128-SHA', 'ADH-AES128-SHA256', 'ADH-AES256-GCM-SHA384', 'ADH-AES256-SHA', 'ADH-AES256-SHA256', 'ADH-CAMELLIA128-SHA', 'ADH-CAMELLIA256-SHA', 'ADH-DES-CBC3-SHA', 'ADH-DES-CBC-SHA', 'ADH-RC4-MD5', 'ADH-SEED-SHA', 'DES-CBC-SHA', 'DHE-DSS-SEED-SHA', 'DHE-RSA-SEED-SHA', 'EDH-DSS-DES-CBC-SHA', 'EDH-RSA-DES-CBC-SHA', 'IDEA-CBC-SHA', 'RC4-MD5', 'SEED-SHA', 'DES-CBC3-MD5', 'DES-CBC-MD5', 'RC2-CBC-MD5', 'PSK-AES256-CBC-SHA', 'PSK-3DES-EDE-CBC-SHA', 'KRB5-DES-CBC3-SHA', 'KRB5-DES-CBC3-MD5', 'PSK-AES128-CBC-SHA', 'PSK-RC4-SHA', 'KRB5-RC4-SHA', 'KRB5-RC4-MD5', 'KRB5-DES-CBC-SHA', 'KRB5-DES-CBC-MD5', 'EXP-EDH-RSA-DES-CBC-SHA', 'EXP-EDH-DSS-DES-CBC-SHA', 'EXP-ADH-DES-CBC-SHA', 'EXP-DES-CBC-SHA', 'EXP-RC2-CBC-MD5', 'EXP-KRB5-RC2-CBC-SHA', 'EXP-KRB5-DES-CBC-SHA', 'EXP-KRB5-RC2-CBC-MD5', 'EXP-KRB5-DES-CBC-MD5', 'EXP-ADH-RC4-MD5', 'EXP-RC4-MD5', 'EXP-KRB5-RC4-SHA', 'EXP-KRB5-RC4-MD5'],

so a quick hack might be just removing the DHE values intentionally if we know they only use short keys, and they won't be matched for output then… (but that would kill them off for both intermediate AND old which is probably not the ideal outcome:/…)

BTW the available cipher list hasn't been updated in a while, too. It'd be great if anyone could check the current output of

aws elb describe-load-balancer-policies --query "PolicyDescriptions[?PolicyName=='ELBSample-ELBDefaultCipherPolicy'].PolicyAttributeDescriptions[*].AttributeName[]"

if there's any change.

[gstrauss]

Fixed in #198.

[janbrasna]

(No resolution for ELB sadly, that might come in a form of an updated browser support in future recommendations' version, dropping DHE suites altogether; but for now the intermediate output still contains them. Perhaps a comment added to let consumers know they might remove them if they see it appropriate for their audience might be worth it?)