• 3
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

How to set “server preference” for tls cipher suites?

Mozilla has a tool to generate server configurations at Mozilla SSL Configuration Generator. For Amazon Elastic Load Balancing (ELB), the configuration does not appear to have a setting for "use server preference".

"Use server preference" is an important server-side option because it ensures the server's choice of cipher suite is used (as opposed to using the client's cipher suite) (modulo the intersection of them). In Apache, the setting is SSLHonorCipherOrder. In OpenSSL, the setting is SSL_OP_CIPHER_SERVER_PREFERENCE.

What is the ELB setting to ensure the server's preference for cipher suites is used?

Amazon's predefined security policies already do this.

If you're trying to use the CloudFormation template that Mozilla gave you, you will see that the attribute is already there.

{
    "Name": "Server-Defined-Cipher-Order",
    "Value": true
},
  • 3
Reply Report
      • 2
    • Perfect, thanks. Related: why is it called or named "order" rather than "choice" or "preference"? The TLS standard is ambiguous whether its the client's choice or the server's choice; so its a choice or preferences, and not an order. I can't help but feel AWS's inability to name it correctly resulted in my inability to locate it.
      • 2
    • Agreed with respect to lists and not random. But this has nothing to do with the order of the cipher list within either the client's list or the server's list. It has to do with either: (a) the server using the client's #1 choice of cipher suite; or (b) the server using the server's #1 choice of cipher suite. (Or #2 if there's no intersection with #1, etc).
      • 2
    • @sebix - I'm not sure what you mean. Effectively, there are two lists - the client's list and the server's list. By convention (because the standard does not specify the behavior), the server honors the client's choice. If the client wants RC4-MD5, then that's what is used (some hand waiving). If the "server preference" option is configured at the server, then the server will use its its list, and not the client's list. In this case, the server chooses or the the server's preference is used.

From the SSL Negotiation Configurations for Elastic Load Balancing section of the documentation:

Server Order Preference

Elastic Load Balancing supports the Server Order Preference option for negotiating connections between the client and the load balancer. During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client's list that matches any one of the load balancer's ciphers is selected for the SSL connection. If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client's list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.

For information about the order of ciphers used by Elastic Load Balancing, see Predefined SSL Security Policies.

  • 1
Reply Report

Trending Tags