AWS Cloudformation: Loadbalancer Custom SSL Negoti

2020-07-19 04:02发布

站内文章 / 前沿技术
89 0 0

问题:

Trying to set up a cloudformation template with a custom SSL Negotiation policy. The cloudformation error I am getting is:

CREATE_FAILED AWS::ElasticLoadBalancing::LoadBalancer BackendELB SSLNegotiationPolicy cannot be enabled

My cloudformation template section is as follows:

"Policies" : [
                {
                    "PolicyName": "SSLNegotiationPolicy",
                    "PolicyType": "SSLNegotiationPolicyType",
                    "Attributes": [
                        { "Name" : "Protocol-TLSv1", "Value" : "true" },
                        { "Name" : "Protocol-TLSv1.1", "Value" : "true" },
                        { "Name" : "Protocol-TLSv1.2", "Value" : "true" },
                        { "Name" : "Protocol-SSLv2", "Value" : "false" },
                        { "Name" : "Protocol-SSLv3", "Value" : "false" },
                        { "Name" : "ECDHE-RSA-AES128-GCM-SHA256", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES128-SHA256", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES128-SHA256", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES128-SHA", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES128-SHA", "Value" : "true" },
                        { "Name" : "DHE-RSA-AES128-SHA", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES256-GCM-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES256-GCM-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES256-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES256-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES256-SHA", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES256-SHA", "Value" : "true" },
                        { "Name" : "AES128-GCM-SHA256", "Value" : "true" },
                        { "Name" : "AES128-SHA256", "Value" : "true" },
                        { "Name" : "AES128-SHA", "Value" : "true" },
                        { "Name" : "AES256-GCM-SHA384", "Value" : "true" },
                        { "Name" : "AES256-SHA256", "Value" : "true" },
                        { "Name" : "AES256-SHA", "Value" : "true" },
                        { "Name" : "DHE-DSS-AES128-SHA", "Value" : "true" },
                        { "Name" : "RC4-SHA", "Value" : "false" },
                        { "Name" : "ECDHE-ECDSA-RC4-SHA", "Value" : "false" }
                    ],
                    "InstancePorts" : [ "443" ]
               } 
           ]

If I remove the InstancePorts section then the ELB creates with no errors, but the new load balancer doesn't use the policy outlined.

Any ideas?

Side question: Is it necessary to set every value of your policy to either true or false or if the cipher is not defined in the template, does it default to the value defined in the recommended SSL policy?

回答1:

I think you're on the right track. You can view the existing security policy contents with:

aws elb describe-load-balancer-policies

I specify everything for completeness, such as the policy below:

    "Policies" : [
      {
        "PolicyName" : "My-ELBSecurityPolicy-2014-10-DisableRC4",
        "PolicyType" : "SSLNegotiationPolicyType",
        "Attributes" : [
            { "Name": "Protocol-SSLv2", "Value": "false" }, 
            { "Name": "Protocol-TLSv1", "Value": "true" }, 
            { "Name": "Protocol-SSLv3", "Value": "false" }, 
            { "Name": "Protocol-TLSv1.1", "Value": "true" }, 
            { "Name": "Protocol-TLSv1.2", "Value": "true" }, 
            { "Name": "Server-Defined-Cipher-Order", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES128-GCM-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES128-GCM-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES128-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES128-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES128-SHA", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES128-SHA", "Value": "true" }, 
            { "Name": "DHE-RSA-AES128-SHA", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES256-GCM-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES256-GCM-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES256-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES256-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES256-SHA", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES256-SHA", "Value": "true" }, 
            { "Name": "AES128-GCM-SHA256", "Value": "true" }, 
            { "Name": "AES128-SHA256", "Value": "true" }, 
            { "Name": "AES128-SHA", "Value": "true" }, 
            { "Name": "AES256-GCM-SHA384", "Value": "true" }, 
            { "Name": "AES256-SHA256", "Value": "true" }, 
            { "Name": "AES256-SHA", "Value": "true" }, 
            { "Name": "DHE-DSS-AES128-SHA", "Value": "true" }, 
            { "Name": "CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "EDH-RSA-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "ECDHE-RSA-RC4-SHA", "Value": "false" }, 
            { "Name": "RC4-SHA", "Value": "false" }, 
            { "Name": "ECDHE-ECDSA-RC4-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-AES256-GCM-SHA384", "Value": "false" }, 
            { "Name": "DHE-RSA-AES256-GCM-SHA384", "Value": "false" }, 
            { "Name": "DHE-RSA-AES256-SHA256", "Value": "false" }, 
            { "Name": "DHE-DSS-AES256-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-AES256-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-AES256-SHA", "Value": "false" }, 
            { "Name": "DHE-RSA-CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "EDH-DSS-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-AES128-GCM-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-AES128-GCM-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-AES128-SHA256", "Value": "false" }, 
            { "Name": "DHE-DSS-AES128-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "ADH-AES128-GCM-SHA256", "Value": "false" }, 
            { "Name": "ADH-AES128-SHA", "Value": "false" }, 
            { "Name": "ADH-AES128-SHA256", "Value": "false" }, 
            { "Name": "ADH-AES256-GCM-SHA384", "Value": "false" }, 
            { "Name": "ADH-AES256-SHA", "Value": "false" }, 
            { "Name": "ADH-AES256-SHA256", "Value": "false" }, 
            { "Name": "ADH-CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "ADH-CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "ADH-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "ADH-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "ADH-RC4-MD5", "Value": "false" }, 
            { "Name": "ADH-SEED-SHA", "Value": "false" }, 
            { "Name": "DES-CBC-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-SEED-SHA", "Value": "false" }, 
            { "Name": "DHE-RSA-SEED-SHA", "Value": "false" }, 
            { "Name": "EDH-DSS-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EDH-RSA-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "IDEA-CBC-SHA", "Value": "false" }, 
            { "Name": "RC4-MD5", "Value": "false" }, 
            { "Name": "SEED-SHA", "Value": "false" }, 
            { "Name": "DES-CBC3-MD5", "Value": "false" }, 
            { "Name": "DES-CBC-MD5", "Value": "false" }, 
            { "Name": "RC2-CBC-MD5", "Value": "false" }, 
            { "Name": "PSK-AES256-CBC-SHA", "Value": "false" }, 
            { "Name": "PSK-3DES-EDE-CBC-SHA", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC3-MD5", "Value": "false" }, 
            { "Name": "PSK-AES128-CBC-SHA", "Value": "false" }, 
            { "Name": "PSK-RC4-SHA", "Value": "false" }, 
            { "Name": "KRB5-RC4-SHA", "Value": "false" }, 
            { "Name": "KRB5-RC4-MD5", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-EDH-RSA-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-EDH-DSS-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-ADH-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-RC2-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC2-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-KRB5-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC2-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-KRB5-DES-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-ADH-RC4-MD5", "Value": "false" }, 
            { "Name": "EXP-RC4-MD5", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC4-SHA", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC4-MD5", "Value": "false" }
        ]
      }
    ]

You also have to reference the policy in the ELB specification itself:

    "Listeners" : [
      { "LoadBalancerPort" : "80",
        "InstancePort" : "80",
        "Protocol" : "HTTP" },
      { "LoadBalancerPort" : "443",
        "InstancePort" : "80",
        "Protocol" : "HTTPS",
        "SSLCertificateId" : "arn:aws:iam::111111111111:server-certificate/somedomain.com",
        "PolicyNames" : [ "My-ELBSecurityPolicy-2014-10-DisableRC4", "SomeOtherPolicy" ]
      }
    ],


标签: ssl amazon-web-services amazon-cloudformation
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~