Changing SSL Termination from ELB to Router

jhans · ‎09-09-2015

Have got a few requests where we need to change SSL termination from ELB to Router.

While doing so we need to make sure that corresponding strong ciphers on ELB are present on the router.

Currently we have following ciphers and protocols on ELB:

Supported TLS Configuration

Protocols

Protocol-TLSv1

Protocol-TLSv1.1

Protocol-TLSv1.2

Options

Server Order Preference

Ciphers

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA

ECDHE-RSA-AES128-SHA

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES256-SHA

AES128-GCM-SHA256

AES128-SHA256

AES128-SHA

AES256-GCM-SHA384

AES256-SHA256

AES256-SHA

DES-CBC3-SHA

Below would be the virtual host that we need to create to make sure we have all the strong ciphers.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VirtualHost name="https_vhost"> <HostAliases> <HostAlias>abcd.apigee.net</HostAlias> </HostAliases> <Interfaces/> <Port>somehighport</Port> <SSLInfo> <Ciphers> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Cipher> <Cipher>TLS_RSA_WITH_AES_256_CBC_SHA</Cipher> <Cipher>SSL_RSA_WITH_DES_CBC_SHA</Cipher> </Ciphers> <ClientAuthEnabled>false</ClientAuthEnabled> <Enabled>true</Enabled> <IgnoreValidationErrors>false</IgnoreValidationErrors> <KeyAlias>xyz</KeyAlias> <KeyStore>xyz</KeyStore> <Protocols> <Protocol>TLSv1</Protocol> <Protocol>TLSv1.1</Protocol> <Protocol>TLSv1.2</Protocol> </Protocols> </SSLInfo> </VirtualHost>

Regards,

J

jhans · ‎09-14-2015

Forgot to mention one point.

When we use ELB ciphers in our VH we need to replace "-" with "_" as Java probably accepts ciphers with _ only.