Security/Server Side TLS: Difference between revisions

Jump to navigation Jump to search

Security/Server Side TLS (view source)

Revision as of 18:44, 2 October 2014

56 bytes removed ,  2 October 2014
→‎elb_ciphers.py
Line 526: Line 526:
<source lang="python">
<source lang="python">
#!/usr/bin/env python
#!/usr/bin/env python
# Apply recommendation from https://wiki.mozilla.org/Security/Server_Side_TLS
# Apply recommendation from https://wiki.mozilla.org/Security/Server_Side_TLS


Line 540: Line 541:
import sys
import sys


if len(sys.argv) < 2:
if len(sys.argv) < 3:
   print "usage : %s REGION ELB-NAME <MODE>" % sys.argv[0]
   print "usage : %s REGION ELB-NAME <MODE>" % sys.argv[0]
   print ""
   print ""
Line 559: Line 560:
#logging.basicConfig(level=logging.DEBUG)
#logging.basicConfig(level=logging.DEBUG)


policy_name_old = 'Mozilla-OpSec-TLS-Old-v-3-2'
policy = {'old':{},
policy_old = { "ECDHE-ECDSA-AES128-GCM-SHA256": True,
          'intermediate':{},
          'modern':{}}
 
policy['old']['name'] = 'Mozilla-OpSec-TLS-Old-v-3-2'
policy['old']['ciphersuite'] = {
                "ECDHE-ECDSA-AES128-GCM-SHA256": True,
                 "ECDHE-RSA-AES128-GCM-SHA256": True,
                 "ECDHE-RSA-AES128-GCM-SHA256": True,
                 "ECDHE-ECDSA-AES128-SHA256": True,
                 "ECDHE-ECDSA-AES128-SHA256": True,
Line 655: Line 661:


# reuse the Old policy minus SSLv3 and 3DES
# reuse the Old policy minus SSLv3 and 3DES
policy_name_intermediate = 'Mozilla-OpSec-TLS-Intermediate-v-3-2'
policy['intermediate']['name'] = 'Mozilla-OpSec-TLS-Intermediate-v-3-2'
policy_intermediate = policy_old.copy()
policy['intermediate']['ciphersuite'] = policy['old']['ciphersuite'].copy()
policy_intermediate["Protocol-SSLv3"] = False
policy['intermediate']['ciphersuite'].update(
policy_intermediate["DES-CBC3-SHA"] = False
    {"Protocol-SSLv3": False,
    "DES-CBC3-SHA": False})


# reuse the intermediate policy minus TLSv1 and non PFS ciphers
# reuse the intermediate policy minus TLSv1 and non PFS ciphers
policy_name_modern = 'Mozilla-OpSec-TLS-Modern-v-3-2'
policy['modern']['name'] = 'Mozilla-OpSec-TLS-Modern-v-3-2'
policy_modern = policy_intermediate.copy()
policy['modern']['ciphersuite'] = policy['intermediate']['ciphersuite'].copy()
policy_modern["Protocol-TLSv1"] = False
policy['modern']['ciphersuite'].update(
policy_modern["AES128-GCM-SHA256"] = False
    {"Protocol-TLSv1": False,
policy_modern["AES256-GCM-SHA384"] = False
    "AES128-GCM-SHA256": False,
policy_modern["DHE-DSS-AES128-SHA"] = False
    "AES256-GCM-SHA384": False,
policy_modern["AES128-SHA256"] = False
    "DHE-DSS-AES128-SHA": False,
policy_modern["AES128-SHA"] = False
    "AES128-SHA256": False,
policy_modern["DHE-DSS-AES256-SHA256"] = False
    "AES128-SHA": False,
policy_modern["AES256-SHA256"] = False
    "DHE-DSS-AES256-SHA256": False,
policy_modern["AES256-SHA"] = False
    "AES256-SHA256": False,
policy_modern["CAMELLIA128-SHA"] = False
    "AES256-SHA": False,
policy_modern["CAMELLIA256-SHA"] = False
    "CAMELLIA128-SHA": False,
    "CAMELLIA256-SHA": False})


# Select the right policy based on the chosen mode
if not conf_mode in policy.keys():
policy_name = policy_name_intermediate
    print "Invalid policy name, must be one of %s" % policy.keys()
policy_attributes = policy_intermediate
    sys.exit(1)
if conf_mode == "old":
policy_name = policy_name_old
policy_attributes = policy_old
if conf_mode == "modern":
policy_name = policy_name_modern
policy_attributes = policy_modern


# Create the Ciphersuite Policy
# Create the Ciphersuite Policy
params = {'LoadBalancerName': load_balancer_name,
params = {'LoadBalancerName': load_balancer_name,
           'PolicyName': policy_name,
           'PolicyName': policy[conf_mode]['name'],
           'PolicyTypeName': 'SSLNegotiationPolicyType'}
           'PolicyTypeName': 'SSLNegotiationPolicyType'}
conn_elb.build_complex_list_params(params,
conn_elb.build_complex_list_params(
                                  [(x, policy_attributes[x]) for x in policy_attributes.keys()],
    params,
                                  'PolicyAttributes.member',
    [(x, policy[conf_mode]['ciphersuite'][x]) for x in policy[conf_mode]['ciphersuite'].keys()],
                                  ('AttributeName', 'AttributeValue'))
    'PolicyAttributes.member',
policy = conn_elb.get_list('CreateLoadBalancerPolicy', params, None, verb='POST')
    ('AttributeName', 'AttributeValue'))
policy_result = conn_elb.get_list('CreateLoadBalancerPolicy', params, None, verb='POST')


# Apply the Ciphersuite Policy to your ELB
# Apply the Ciphersuite Policy to your ELB
params = {'LoadBalancerName': load_balancer_name,
params = {'LoadBalancerName': load_balancer_name,
           'LoadBalancerPort': 443,
           'LoadBalancerPort': 443,
           'PolicyNames.member.1': policy_name}
           'PolicyNames.member.1': policy[conf_mode]['name']}


result = conn_elb.get_list('SetLoadBalancerPoliciesOfListener', params, None)
result = conn_elb.get_list('SetLoadBalancerPoliciesOfListener', params, None)
print "New Policy '%s' created and applied to load balancer %s in %s" % (policy_name, load_balancer_name, region)
print "New Policy '%s' created and applied to load balancer %s in %s" % (
    policy[conf_mode]['name'],
    load_balancer_name,
    region)
</source>
</source>


Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1021867"

Navigation menu