Skip to content
This repository was archived by the owner on Feb 20, 2019. It is now read-only.

Enforce Server Defined Cipher Order, bringing AWS ELB policy in line #145

Open
wdflynn wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Enforce Server Defined Cipher Order, bringing AWS ELB policy in line #145

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
369b0ca
Enforce Server Defined Cipher Order, bringing AWS ELB policy in line
Mar 27, 2014
645c5e6
Added support for including a referred policy from AWS
Apr 7, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 18 additions & 12 deletions aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,31 @@
#!/usr/bin/env python

# Added passing AWS policy to implement via referral - AWS Have their own
# Policy Best Practices

# Apply recommendation from https://wiki.mozilla.org/Security/Server_Side_TLS

import boto.ec2.elb
import sys

if len(sys.argv) < 2:
print "usage : %s REGION ELB-NAME" % sys.argv[0]
if len(sys.argv) < 2 or len(sys.argv) > 4:
print "usage : %s REGION ELB-NAME [REFERRED-POLICY]" % sys.argv[0]
print ""
print "Example : %s us-west-2 persona-org-0810" % sys.argv[0]
print "Example : %s us-east-1 ANALYTICS-HTTPS [ELBSecurityPolicy-2014-01]" % sys.argv[0]
sys.exit(1)

region = sys.argv[1]
load_balancer_name = sys.argv[2]
conn_elb = boto.ec2.elb.connect_to_region(region)

#import logging
#logging.basicConfig(level=logging.DEBUG)

policy_attributes = {"ADH-AES128-GCM-SHA256": False,
# import logging
# logging.basicConfig(level=logging.DEBUG)
if sys.argv[3]:
referred_policy = sys.argv[3]
policy_name = 'Ciphersuite-' + referred_policy + '-v-1-0'
policy_attributes = {'Reference-Security-Policy':referred_policy}
else:
policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-3'
policy_attributes = {"ADH-AES128-GCM-SHA256": False,
"ADH-AES256-GCM-SHA384": False,
"ADH-AES128-SHA": False,
"ADH-AES128-SHA256": False,
Expand Down Expand Up @@ -96,15 +103,14 @@
"RC2-CBC-MD5": False,
"RC4-MD5": False,
"RC4-SHA": True,
"SEED-SHA": False}

policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-2'
"SEED-SHA": False,
"Server-Defined-Cipher-Order": True}

# Create the Ciphersuite Policy
params = {'LoadBalancerName': load_balancer_name,
'PolicyName': policy_name,
'PolicyTypeName': 'SSLNegotiationPolicyType'}
conn_elb.build_complex_list_params(params,
conn_elb.build_complex_list_params(params,
[(x, policy_attributes[x]) for x in policy_attributes.keys()],
'PolicyAttributes.member',
('AttributeName', 'AttributeValue'))
Expand Down