Have got a few requests where we need to change SSL termination from ELB to Router.
While doing so we need to make sure that corresponding strong ciphers on ELB are present on the router.
Currently we have following ciphers and protocols on ELB:
Supported TLS Configuration
Protocols
Protocol-TLSv1
Protocol-TLSv1.1
Protocol-TLSv1.2
Options
Server Order Preference
Ciphers
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
DES-CBC3-SHA
Below would be the virtual host that we need to create to make sure we have all the strong ciphers.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VirtualHost name="https_vhost"> <HostAliases> <HostAlias>abcd.apigee.net</HostAlias> </HostAliases> <Interfaces/> <Port>somehighport</Port> <SSLInfo> <Ciphers> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Cipher> <Cipher>TLS_RSA_WITH_AES_256_CBC_SHA</Cipher> <Cipher>SSL_RSA_WITH_DES_CBC_SHA</Cipher> </Ciphers> <ClientAuthEnabled>false</ClientAuthEnabled> <Enabled>true</Enabled> <IgnoreValidationErrors>false</IgnoreValidationErrors> <KeyAlias>xyz</KeyAlias> <KeyStore>xyz</KeyStore> <Protocols> <Protocol>TLSv1</Protocol> <Protocol>TLSv1.1</Protocol> <Protocol>TLSv1.2</Protocol> </Protocols> </SSLInfo> </VirtualHost>
Regards,
J
Forgot to mention one point.
When we use ELB ciphers in our VH we need to replace "-" with "_" as Java probably accepts ciphers with _ only.