How do I configure my Application Load Balancer TLS/SSL listeners to use ECDSA ciphers?

Last updated: 2022-03-11

My Application Load Balancer’s Security Policy lists RSA and ECDSA ciphers. But when I connect to my Load Balancer, I always see RSA ciphers selected. How do I get my Load Balancer to uses ECDSA ciphers for TLS encryption?

Short description

An Application Load Balancer HTTPS listener can be configured with multiple certificates, but requires a single security policy. Each security policy contains ciphers for both RSA and ECDSA cryptographic algorithms. During the TLS handshake, the Application Load Balancer uses selection process logic to determine which Application Load Balancer certificate to use for the HTTPS connection. If the chosen certificate is created using RSA or ECDSA (elliptic curve) keys, Application Load Balancer will leverage RSA or ECDSA ciphers for encryption.

Note: Public certificates that are generated by AWS Certificate Manager (ACM) use RSA keys. Therefore, encryption with an Application Load Balancer using any ACM certificates is expected to leverage RSA ciphers. You must import ECDSA signed certificates into ACM and associate them with your HTTPS listener to leverage ECDSA ciphers for encryption.

Resolution

To use ECDSA ciphers with your Application Load Balancer, perform the following steps:

Import new ECDSA Certificate(s) to AWS Certificate Manager and bind to HTTPS Listener

After you’ve worked with your CA (certificate authority) to obtain ECDSA certificates for your domain in PEM format, perform the following steps:

1.    Import your new ECDSA Certificate to AWS Certificate Manager.

2.    Associate your newly imported ECDSA certificate with your Application Load Balancer.

(Optional) Test your load balancer’s TLS listener for supported ciphers

To test which protocols and ciphers will be used, use an open source command line tool, such as sslscan.

Note: Using sslscan allows you to obtain complete information of all ciphers without using an additional third party utility. For example, if you use cURL, you must specify individual cipher suites, which require separate cURL requests specifying TLS protocols and cipher suites.

You can install and run the sslscan command on any Amazon Elastic Compute Cloud (Amazon EC2) Linux instance or from your local system. Make sure that the Load Balancer that you want to test accepts TLS connections from your source IP address.

To use sslscan on an Amazon Linux EC2 instance, perform the following steps:

1.    Enable the Extra Packages for Enterprise Linux (EPEL) repository.

2.    Install sslscan on your Amazon EC2 Linux instance using the following command:

sudo yum install sslscan

3.    Use the following command syntax to scan your Application Load Balancer for supported ciphers, replacing "example.com" with your domain name:

[ec2-user@ ~]$ sslscan --show-ciphers example.com | grep Accepted

Here's example output that shows the results of running a vulnerability scan on your Application Load Balancer using a P-256 ECDSA certificate and default security policy:

    Accepted  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
    Accepted  TLS11  256 bits  ECDHE-ECDSA-AES256-SHA
    Accepted  TLS11  128 bits  ECDHE-ECDSA-AES128-SHA
    Accepted  TLS12  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  ECDHE-ECDSA-AES256-SHA384
    Accepted  TLS12  256 bits  ECDHE-ECDSA-AES256-SHA
    Accepted  TLS12  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  ECDHE-ECDSA-AES128-SHA256
    Accepted  TLS12  128 bits  ECDHE-ECDSA-AES128-SHA

To compare, here's the example output of a vulnerability scan on your Load Balancer using an RSA 2048 certificate and default security policy:

    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA

If you've properly configured your ECDSA certificates on Application Load Balancer, then your output shows the negotiated <ECDHE-ECDSA-*> cipher suites. If your output shows other cipher suites, review and update your Application Load Balancer security policy.


Did this article help?


Do you need billing or technical support?