How do I configure my Application Load Balancer TLS/SSL listeners to use ECDSA ciphers?
Last updated: 2022-03-11
My Application Load Balancer’s Security Policy lists RSA and ECDSA ciphers. But when I connect to my Load Balancer, I always see RSA ciphers selected. How do I get my Load Balancer to uses ECDSA ciphers for TLS encryption?
An Application Load Balancer HTTPS listener can be configured with multiple certificates, but requires a single security policy. Each security policy contains ciphers for both RSA and ECDSA cryptographic algorithms. During the TLS handshake, the Application Load Balancer uses selection process logic to determine which Application Load Balancer certificate to use for the HTTPS connection. If the chosen certificate is created using RSA or ECDSA (elliptic curve) keys, Application Load Balancer will leverage RSA or ECDSA ciphers for encryption.
Note: Public certificates that are generated by AWS Certificate Manager (ACM) use RSA keys. Therefore, encryption with an Application Load Balancer using any ACM certificates is expected to leverage RSA ciphers. You must import ECDSA signed certificates into ACM and associate them with your HTTPS listener to leverage ECDSA ciphers for encryption.
To use ECDSA ciphers with your Application Load Balancer, perform the following steps:
Import new ECDSA Certificate(s) to AWS Certificate Manager and bind to HTTPS Listener
After you’ve worked with your CA (certificate authority) to obtain ECDSA certificates for your domain in PEM format, perform the following steps:
(Optional) Test your load balancer’s TLS listener for supported ciphers
To test which protocols and ciphers will be used, use an open source command line tool, such as sslscan.
Note: Using sslscan allows you to obtain complete information of all ciphers without using an additional third party utility. For example, if you use cURL, you must specify individual cipher suites, which require separate cURL requests specifying TLS protocols and cipher suites.
You can install and run the sslscan command on any Amazon Elastic Compute Cloud (Amazon EC2) Linux instance or from your local system. Make sure that the Load Balancer that you want to test accepts TLS connections from your source IP address.
To use sslscan on an Amazon Linux EC2 instance, perform the following steps:
1. Enable the Extra Packages for Enterprise Linux (EPEL) repository.
2. Install sslscan on your Amazon EC2 Linux instance using the following command:
sudo yum install sslscan
3. Use the following command syntax to scan your Application Load Balancer for supported ciphers, replacing "example.com" with your domain name:
[ec2-user@ ~]$ sslscan --show-ciphers example.com | grep Accepted
Here's example output that shows the results of running a vulnerability scan on your Application Load Balancer using a P-256 ECDSA certificate and default security policy:
Accepted TLSv1 256 bits ECDHE-ECDSA-AES256-SHA Accepted TLSv1 128 bits ECDHE-ECDSA-AES128-SHA Accepted TLS11 256 bits ECDHE-ECDSA-AES256-SHA Accepted TLS11 128 bits ECDHE-ECDSA-AES128-SHA Accepted TLS12 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-ECDSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-ECDSA-AES256-SHA Accepted TLS12 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-ECDSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-ECDSA-AES128-SHA
To compare, here's the example output of a vulnerability scan on your Load Balancer using an RSA 2048 certificate and default security policy:
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits AES256-GCM-SHA384 Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA
If you've properly configured your ECDSA certificates on Application Load Balancer, then your output shows the negotiated <ECDHE-ECDSA-*> cipher suites. If your output shows other cipher suites, review and update your Application Load Balancer security policy.