Add ECDHE ciphers and set to true, should enable pfs

[jdotpz]

http://aws.amazon.com/blogs/aws/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements

[gene1wood]

@jvehent JP of MoFo has identified some new ciphers. Want to weigh in on this?

[jvehent]

The ciphers are good. How does the script deal with the ciphersuite ordering? The default ELB policy has strong ordering to prefer some ciphers, and we want that as well, but I don't see how it's applied in the script.

[jdotpz]

I just added in a bit to include that setting, and elb's I use it against are coming back with an A rating.
https://www.ssllabs.com/ssltest/analyze.html?d=forum.mozillascience.org

[jvehent]

Beautiful! r+

[jvehent]

@jdotpz : Do you have a public endpoint I can take a look at?

[jdotpz]

[jdotpz]

webmaker.org
popcorn.webmaker.org
forum.mozillascience.org
badgekit.org
goggles.webmaker.org
fundraising.mozilla.com

[jvehent]

/me likes !

$ ./cipherscan popcorn.webmaker.org
......................
prio  ciphersuite                  protocols                    pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,P-256,256bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,P-256,256bits
3     ECDHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
4     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,P-256,256bits
5     ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,P-256,256bits
6     ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
10    AES256-GCM-SHA384            TLSv1.2
11    AES256-SHA256                TLSv1.2
12    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
13    DHE-RSA-AES128-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
14    CAMELLIA128-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2
15    RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2
16    DHE-RSA-AES256-GCM-SHA384    TLSv1.2                      DH,1024bits
17    DHE-RSA-AES256-SHA256        TLSv1.2                      DH,1024bits
18    DHE-RSA-AES256-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
19    CAMELLIA256-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2
20    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                      DH,1024bits
21    DHE-RSA-AES128-SHA256        TLSv1.2                      DH,1024bits

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature

[jvehent]

Note to self: replace RC4 with 3DES.

[jdotpz]

[gene1wood]

As some context, everything other than Persona is currently using the AWS defined ELBSecurityPolicy-2014-01 ciphersuite as mentioned here

[jvehent]

AWS default policy is decent. But in the future, I'd like to have 2 configurations: one that has SSL3 for backward compatible sites, and one that doesn't. We could disable SSL3 and TLS1, as well as RC4 and 3DES entirely. Maybe even enable PFS only ciphersuite.
I'll try to work on this in Q3.