From 369b0caba6a01abf20dab9319e8d3b6664057c80 Mon Sep 17 00:00:00 2001 From: wflynnvey Date: Thu, 27 Mar 2014 11:58:52 -0400 Subject: [PATCH 1/2] Enforce Server Defined Cipher Order, bringing AWS ELB policy in line with best practices given for, e.g. Apache: https://wiki.mozilla.org/Security/Server_Side_TLS#Apache SSLHonorCipherOrder on Add "Server-Defined-Cipher-Order": True Increment version in policy_name --- .../apply_security_assurance_elb_ciphersuite_policy.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py index 01f14c3..da8bff5 100755 --- a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py +++ b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py @@ -96,15 +96,16 @@ "RC2-CBC-MD5": False, "RC4-MD5": False, "RC4-SHA": True, - "SEED-SHA": False} + "SEED-SHA": False, + "Server-Defined-Cipher-Order": True} -policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-2' +policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-3' # Create the Ciphersuite Policy params = {'LoadBalancerName': load_balancer_name, 'PolicyName': policy_name, 'PolicyTypeName': 'SSLNegotiationPolicyType'} -conn_elb.build_complex_list_params(params, +conn_elb.build_complex_list_params(params, [(x, policy_attributes[x]) for x in policy_attributes.keys()], 'PolicyAttributes.member', ('AttributeName', 'AttributeValue')) From 645c5e613a389620254e4cf304cf6490145bd381 Mon Sep 17 00:00:00 2001 From: wflynnvey Date: Mon, 7 Apr 2014 14:32:18 -0400 Subject: [PATCH 2/2] Added support for including a referred policy from AWS re: #3219 --- ...curity_assurance_elb_ciphersuite_policy.py | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py index da8bff5..f450e9c 100755 --- a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py +++ b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py @@ -1,24 +1,31 @@ #!/usr/bin/env python +# Added passing AWS policy to implement via referral - AWS Have their own +# Policy Best Practices + # Apply recommendation from https://wiki.mozilla.org/Security/Server_Side_TLS import boto.ec2.elb import sys -if len(sys.argv) < 2: - print "usage : %s REGION ELB-NAME" % sys.argv[0] +if len(sys.argv) < 2 or len(sys.argv) > 4: + print "usage : %s REGION ELB-NAME [REFERRED-POLICY]" % sys.argv[0] print "" - print "Example : %s us-west-2 persona-org-0810" % sys.argv[0] + print "Example : %s us-east-1 ANALYTICS-HTTPS [ELBSecurityPolicy-2014-01]" % sys.argv[0] sys.exit(1) region = sys.argv[1] load_balancer_name = sys.argv[2] conn_elb = boto.ec2.elb.connect_to_region(region) - -#import logging -#logging.basicConfig(level=logging.DEBUG) - -policy_attributes = {"ADH-AES128-GCM-SHA256": False, +# import logging +# logging.basicConfig(level=logging.DEBUG) +if sys.argv[3]: + referred_policy = sys.argv[3] + policy_name = 'Ciphersuite-' + referred_policy + '-v-1-0' + policy_attributes = {'Reference-Security-Policy':referred_policy} +else: + policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-3' + policy_attributes = {"ADH-AES128-GCM-SHA256": False, "ADH-AES256-GCM-SHA384": False, "ADH-AES128-SHA": False, "ADH-AES128-SHA256": False, @@ -99,8 +106,6 @@ "SEED-SHA": False, "Server-Defined-Cipher-Order": True} -policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-3' - # Create the Ciphersuite Policy params = {'LoadBalancerName': load_balancer_name, 'PolicyName': policy_name,