I currently have SSLInsecureRenegotiation set to off on my Apache 2.4 Amazon Linux server, but I am still failing over at SSLLabs (Secure Client-Initiated Renegotiation SUPPORTED). Do you know how to enable this on the ELB?
Asked
Active
Viewed 1,860 times
1 Answers
0
That's a function of the ELB Security Policy. A new predefined policy ELBSecurityPolicy-2014-10 contains the fix you're looking for, or you can define a custom policy. With an HTTPS listener in ELB, your instance's SSL configuration isn't visible to the outside world, because there are two different SSL sessions happening with each connection -- the browser connection to ELB and the ELB connection to your instance. Your server config only impacts the second one. The ELB security policy defines the first one.
http://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
Michael - sqlbot
- 22,658
- 2
- 63
- 86
-
Hi, while the new ELBSecurityPolicy did disable SSL3 (which I had previously done on my own), I am still getting Secure Client-Initiated Renegotiation Supported DoS DANGER (more info) from SSL Labs. It looks like the ELB doesn't support shutting off Client-Initiated Renegotiation? – David Eisen Oct 21 '14 at 13:29
-
You're apparently correct. I was thinking of renegotation in terms of CVE-2014-3566, not in general. – Michael - sqlbot Oct 22 '14 at 00:32