Confirmed users
529
edits
Security/Server Side TLS: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Document Status | ! Document Status !! Major Versions | ||
|- | |- | ||
| <span style="color:green;">'''READY'''</span> | | <span style="color:green;">'''READY'''</span> || | ||
* Version 2: Public release | * Version 2: Public release | ||
* Version 1.5: Julien Vehent (JV) added details for PFS DHE handshake, added nginx configuration details; Guillaume Destuynder (GD) added Apache recommended conf | * Version 1.5: Julien Vehent (JV) added details for PFS DHE handshake, added nginx configuration details; Guillaume Destuynder (GD) added Apache recommended conf | ||
| Line 296: | Line 296: | ||
prefer-server-ciphers = on | prefer-server-ciphers = on | ||
</pre> | </pre> | ||
== Amazon Web Services Elastic Load Balancer (AWS ELB) == | |||
ELBs support TLS 1.2, but lack support for ciphers ordering, custom DH parameters and OCSP Stapling. | |||
The default configuration of ELBs doesn't enable the correct ciphers or versions of TLS. This can be done by hand in the Web Console, but is tedious. Gene Wood, from Identity Ops, wrote a script that configures the proper TLS policy on ELB: https://github.com/mozilla/identity-ops/blob/master/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py | |||
Because of the lack of server side ordering, it is preferable to terminate TLS connection on something than ELBs. ELBs can be used at layer 4 to load balance TCP connections, and terminate SSL on Nginx, Apache or any suitable TLS stack. | |||
When using ELBs as L4 load balancer, the following limitations apply: | |||
* Client IP will be hidden to the backend servers. The application behind the ELB will only see the IP of the ELB. Headers such as X-Forwarded-For cannot be used to store the client IP, because the ELB does not decrypt the SSL. | |||
* Only layer 4 type heartbeats can be used (connection establishment on target port). | |||
* Session stickiness will only be possible by source IP: one source IP will always reach the same application server. Session stickiness via cookie cannot be used, because the ELB does not decrypt the SSL. | |||
ELBs support HAproxy's proxy protocol, that removes the need for X-Forwarded-For and operates with a header placed right before the TCP packet. While still in beta, a solution composed of L4 ELBs that send TCP traffic to HAproxy for SSL termination would solve the limitations above. | |||
== Zeus (Riverbed Stingray) == | == Zeus (Riverbed Stingray) == | ||