In December of 2014 researchers found that the RC4 cipher being used in common TLS implementations could be easily broken. As of January 15 2015 the recommended predefined security policy for AWS Elastic Load Balancers still permits the use of RC4 ciphers and will need to be custom configured to deal with the RC4 vulnerability. These steps are described here.

Background

In October of 2014 a POODLE attack was launched against SSLv3 that allowed attackers to gain cookie data from target sites. To mitigate this it was advised to remove SSLv3 and use TLS instead.

The movement towards TLS brings to light cipher issues that you should be aware of when configuring SSL on your server. Common TLS implementations will preferentially use the RC4 cipher suite for their cryptographic needs. However, the IETF has recently issued a draft prohibiting RC4 cipher suites.

At this point in time, the newest ELB Security Policy (2014-10) provided by AWS still permits the use of RC4 cipher suites. This presents problems when using tools such as ssllabs.com server test which will flag an AWS instance as non-compliant due to the use of RC4 ciphers.

To resolve this issue you must manually specify ciphers you wish ELB to use during ELB creation.

If you are using a predefined ELB security policy you can change the cipher usage. To do this:

  1. Find your ELB in AWS and select the Listeners tab. In the Cipher column click Change on the cipher row.

    ![Change the cipher][step1]

  2. Select Predefined Security Policy and ELBSecurityPolicy-2014-10 from the drop down.

    ![Select predefined policy][step2]

  3. Change the radio button selection to Custom Security Policy and uncheck the two ciphers ECDHE-RSA-RC4-SHA and RC4-SHA then click Save.

    ![De-select ciphers][step3]

More information on predefined security policies can be found here.

For HAProxy SSL users here's an example working cipher set: no-sslv3 no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA

step1 "Step 1" step2 "Step 2" step3 "Step 3"

Mark Curphey, Vice President, Strategy Mark Curphey is the Vice President of Strategy at CA Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks. Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft. Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu