From e054206ac353ea72b3088e05f02cb387b0982c8b Mon Sep 17 00:00:00 2001
From: JP Schneider <johns@mozillafoundation.org>
Date: Tue, 27 May 2014 16:06:35 -0500
Subject: [PATCH 1/2] Add ECDHE ciphers and set to true, should enable pfs
 http://aws.amazon.com/blogs/aws/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements

---
 ..._security_assurance_elb_ciphersuite_policy.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
index 01f14c3..f39c832 100755
--- a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
+++ b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
@@ -60,6 +60,18 @@
                     "DHE-RSA-CAMELLIA128-SHA": False,
                     "DHE-RSA-CAMELLIA256-SHA": False,
                     "DHE-RSA-SEED-SHA": False,
+                    "ECDHE-ECDSA-AES128-GCM-SHA256": True,
+                    "ECDHE-RSA-AES128-GCM-SHA256": True,
+                    "ECDHE-ECDSA-AES128-SHA256": True,
+                    "ECDHE-RSA-AES128-SHA256": True,
+                    "ECDHE-ECDSA-AES128-SHA": True,
+                    "ECDHE-RSA-AES128-SHA": True,
+                    "ECDHE-ECDSA-AES256-GCM-SHA384": True,
+                    "ECDHE-RSA-AES256-GCM-SHA384": True,
+                    "ECDHE-ECDSA-AES256-SHA384": True,
+                    "ECDHE-RSA-AES256-SHA384": True,
+                    "ECDHE-RSA-AES256-SHA": True,
+                    "ECDHE-ECDSA-AES256-SHA": True,
                     "EDH-DSS-DES-CBC3-SHA": False,
                     "EDH-DSS-DES-CBC-SHA": False,
                     "EDH-RSA-DES-CBC3-SHA": False,
@@ -98,13 +110,13 @@
                     "RC4-SHA": True,
                     "SEED-SHA": False}
 
-policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-2'
+policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-3'
 
 # Create the Ciphersuite Policy
 params = {'LoadBalancerName': load_balancer_name,
           'PolicyName': policy_name,
           'PolicyTypeName': 'SSLNegotiationPolicyType'}
-conn_elb.build_complex_list_params(params, 
+conn_elb.build_complex_list_params(params,
                                    [(x, policy_attributes[x]) for x in policy_attributes.keys()],
                                    'PolicyAttributes.member',
                                    ('AttributeName', 'AttributeValue'))

From 0ada12c6ad85600e83c2b26c7849f399782a865c Mon Sep 17 00:00:00 2001
From: JP Schneider <johns@mozillafoundation.org>
Date: Tue, 27 May 2014 18:17:58 -0500
Subject: [PATCH 2/2] Add server defined cipher order, and order the Protocols
 a bit

---
 ...curity_assurance_elb_ciphersuite_policy.py | 32 ++++++++++---------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
index f39c832..0761f76 100755
--- a/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
+++ b/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py
@@ -18,7 +18,19 @@
 #import logging
 #logging.basicConfig(level=logging.DEBUG)
 
-policy_attributes = {"ADH-AES128-GCM-SHA256": False,
+policy_attributes = {"ECDHE-ECDSA-AES128-GCM-SHA256": True,
+                    "ECDHE-RSA-AES128-GCM-SHA256": True,
+                    "ECDHE-ECDSA-AES128-SHA256": True,
+                    "ECDHE-RSA-AES128-SHA256": True,
+                    "ECDHE-ECDSA-AES128-SHA": True,
+                    "ECDHE-RSA-AES128-SHA": True,
+                    "ECDHE-ECDSA-AES256-GCM-SHA384": True,
+                    "ECDHE-RSA-AES256-GCM-SHA384": True,
+                    "ECDHE-ECDSA-AES256-SHA384": True,
+                    "ECDHE-RSA-AES256-SHA384": True,
+                    "ECDHE-RSA-AES256-SHA": True,
+                    "ECDHE-ECDSA-AES256-SHA": True,
+                    "ADH-AES128-GCM-SHA256": False,
                     "ADH-AES256-GCM-SHA384": False,
                     "ADH-AES128-SHA": False,
                     "ADH-AES128-SHA256": False,
@@ -60,18 +72,6 @@
                     "DHE-RSA-CAMELLIA128-SHA": False,
                     "DHE-RSA-CAMELLIA256-SHA": False,
                     "DHE-RSA-SEED-SHA": False,
-                    "ECDHE-ECDSA-AES128-GCM-SHA256": True,
-                    "ECDHE-RSA-AES128-GCM-SHA256": True,
-                    "ECDHE-ECDSA-AES128-SHA256": True,
-                    "ECDHE-RSA-AES128-SHA256": True,
-                    "ECDHE-ECDSA-AES128-SHA": True,
-                    "ECDHE-RSA-AES128-SHA": True,
-                    "ECDHE-ECDSA-AES256-GCM-SHA384": True,
-                    "ECDHE-RSA-AES256-GCM-SHA384": True,
-                    "ECDHE-ECDSA-AES256-SHA384": True,
-                    "ECDHE-RSA-AES256-SHA384": True,
-                    "ECDHE-RSA-AES256-SHA": True,
-                    "ECDHE-ECDSA-AES256-SHA": True,
                     "EDH-DSS-DES-CBC3-SHA": False,
                     "EDH-DSS-DES-CBC-SHA": False,
                     "EDH-RSA-DES-CBC3-SHA": False,
@@ -108,9 +108,11 @@
                     "RC2-CBC-MD5": False,
                     "RC4-MD5": False,
                     "RC4-SHA": True,
-                    "SEED-SHA": False}
+                    "SEED-SHA": False,
+                    "Server-Defined-Cipher-Order": True
+                    }
 
-policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-3'
+policy_name = 'Mozilla-Security-Assurance-Ciphersuite-Policy-v-1-4'
 
 # Create the Ciphersuite Policy
 params = {'LoadBalancerName': load_balancer_name,