Skip to content

Commit

Permalink
Add custom CIPHER to Full-Set ELB to disable insecure SSL Protocols
Browse files Browse the repository at this point in the history 
### Changed
- Changed default parameter `compute.elb_cipher_suite` to 
`AOCELBSecurityPolicy-TLS-1-2-2017-01`
- Disable TLS 1.0 & TLS 1.1 support for Author-Dispatcher, 
Publish-Dispatcher & Author ELB
  • Loading branch information
@mbloch1986
mbloch1986 committed May 29, 2020
1 parent 751f1c5 commit eeb0bb5
Show file tree
Hide file tree
Showing 6 changed files with 575 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased
### Changed
- Changed default parameter `compute.elb_cipher_suite` to `AOCELBSecurityPolicy-TLS-1-2-2017-01`
- Disable TLS 1.0 & TLS 1.1 support for Author-Dispatcher, Publish-Dispatcher & Author ELB

## 4.35.3 - 2020-05-28
### Fixed
Expand Down
3 changes: 1 addition & 2 deletions conf/ansible/inventory/group_vars/apps.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,8 +142,7 @@ messaging:

compute:
key_pair_name: overwrite-me
# TODO: switch to ELBSecurityPolicy-TLS-1-2-2017-01 after upgrading deps
elb_cipher_suite: ELBSecurityPolicy-2016-08
elb_cipher_suite: AOCELBSecurityPolicy-TLS-1-2-2017-01

s3:
data_bucket_name: overwrite-me
Expand Down
1 change: 1 addition & 0 deletions docs/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ These configurations are applicable to AWS resources used by the AEM environment
| messaging.alarm_notification.contact_email | Recipient email address where AEM Full-Set alarm notification will be sent to. | Optional | |
| messaging.alarm_notification.https_endpoint | Notification https endpoint where AEM Full-Set alarm notification will be sent to. | Optional | |
| compute.key_pair_name | [EC2 key pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) to be provisioned on all EC2 instances within the AEM environment. | Mandatory | |
| compute.elb_cipher_suite | Cipher to use for the AEM Full-Set Author-Dispatcher, Publish-Dispatcher & Author ELB. Default parameter is a 1:1 copy of AWS default SSL policy `ELBSecurityPolicy-TLS-1-2-2017-01`| optional | `AOCELBSecurityPolicy-TLS-1-2-2017-01` |
| s3.data_bucket_name | S3 data bucket which stores all AEM environment's object files such as descriptors and credentials. | Mandatory | |
| s3.create_bucket_flag | If "true", an S3 bucket with name: `s3.data_bucket_name` will be created as part of `make create-aws-resources` | Optional | "true" |
| dns_records.create_hosted_zone_flag | If "true", a Route53 Private HostedZone with name: `dns_records.route53_hosted_zone_name` will be created as part of `make create-aws-resources` | Optional | "true" |
Expand Down
190 changes: 190 additions & 0 deletions templates/cloudformation/apps/aem/full-set/author-dispatcher.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,196 @@ Resources:
Ref: AuthorDispatcherLoadBalancerHealthCheckTargetParameter
Timeout: '5'
UnhealthyThreshold: '2'
Policies:
- PolicyName: AOCELBSecurityPolicy-TLS-1-2-2017-01
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Protocol-SSLv3
Value: "false"
- Name: Protocol-TLSv1
Value: "false"
- Name: Protocol-TLSv1.1
Value: "false"
- Name: Protocol-TLSv1.2
Value: "true"
- Name: Server-Defined-Cipher-Order
Value: "true"
- Name: ECDHE-ECDSA-AES128-GCM-SHA256
Value: "true"
- Name: ECDHE-RSA-AES128-GCM-SHA256
Value: "true"
- Name: ECDHE-ECDSA-AES128-SHA256
Value: "true"
- Name: ECDHE-RSA-AES128-SHA256
Value: "true"
- Name: ECDHE-ECDSA-AES128-SHA
Value: "false"
- Name: ECDHE-RSA-AES128-SHA
Value: "false"
- Name: DHE-RSA-AES128-SHA
Value: "false"
- Name: ECDHE-ECDSA-AES256-GCM-SHA384
Value: "true"
- Name: ECDHE-RSA-AES256-GCM-SHA384
Value: "true"
- Name: ECDHE-ECDSA-AES256-SHA384
Value: "true"
- Name: ECDHE-RSA-AES256-SHA384
Value: "true"
- Name: ECDHE-RSA-AES256-SHA
Value: "false"
- Name: ECDHE-ECDSA-AES256-SHA
Value: "false"
- Name: AES128-GCM-SHA256
Value: "true"
- Name: AES128-SHA256
Value: "true"
- Name: AES128-SHA
Value: "false"
- Name: AES256-GCM-SHA384
Value: "true"
- Name: AES256-SHA256
Value: "true"
- Name: AES256-SHA
Value: "false"
- Name: DHE-DSS-AES128-SHA
Value: "false"
- Name: CAMELLIA128-SHA
Value: "false"
- Name: EDH-RSA-DES-CBC3-SHA
Value: "false"
- Name: DES-CBC3-SHA
Value: "false"
- Name: ECDHE-RSA-RC4-SHA
Value: "false"
- Name: RC4-SHA
Value: "false"
- Name: ECDHE-ECDSA-RC4-SHA
Value: "false"
- Name: DHE-DSS-AES256-GCM-SHA384
Value: "false"
- Name: DHE-RSA-AES256-GCM-SHA384
Value: "false"
- Name: DHE-RSA-AES256-SHA256
Value: "false"
- Name: DHE-DSS-AES256-SHA256
Value: "false"
- Name: DHE-RSA-AES256-SHA
Value: "false"
- Name: DHE-DSS-AES256-SHA
Value: "false"
- Name: DHE-RSA-CAMELLIA256-SHA
Value: "false"
- Name: DHE-DSS-CAMELLIA256-SHA
Value: "false"
- Name: CAMELLIA256-SHA
Value: "false"
- Name: EDH-DSS-DES-CBC3-SHA
Value: "false"
- Name: DHE-DSS-AES128-GCM-SHA256
Value: "false"
- Name: DHE-RSA-AES128-GCM-SHA256
Value: "false"
- Name: DHE-RSA-AES128-SHA256
Value: "false"
- Name: DHE-DSS-AES128-SHA256
Value: "false"
- Name: DHE-RSA-CAMELLIA128-SHA
Value: "false"
- Name: DHE-DSS-CAMELLIA128-SHA
Value: "false"
- Name: ADH-AES128-GCM-SHA256
Value: "false"
- Name: ADH-AES128-SHA
Value: "false"
- Name: ADH-AES128-SHA256
Value: "false"
- Name: ADH-AES256-GCM-SHA384
Value: "false"
- Name: ADH-AES256-SHA
Value: "false"
- Name: ADH-AES256-SHA256
Value: "false"
- Name: ADH-CAMELLIA128-SHA
Value: "false"
- Name: ADH-CAMELLIA256-SHA
Value: "false"
- Name: ADH-DES-CBC3-SHA
Value: "false"
- Name: ADH-DES-CBC-SHA
Value: "false"
- Name: ADH-RC4-MD5
Value: "false"
- Name: ADH-SEED-SHA
Value: "false"
- Name: DES-CBC-SHA
Value: "false"
- Name: DHE-DSS-SEED-SHA
Value: "false"
- Name: DHE-RSA-SEED-SHA
Value: "false"
- Name: EDH-DSS-DES-CBC-SHA
Value: "false"
- Name: EDH-RSA-DES-CBC-SHA
Value: "false"
- Name: IDEA-CBC-SHA
Value: "false"
- Name: RC4-MD5
Value: "false"
- Name: SEED-SHA
Value: "false"
- Name: DES-CBC3-MD5
Value: "false"
- Name: DES-CBC-MD5
Value: "false"
- Name: RC2-CBC-MD5
Value: "false"
- Name: PSK-AES256-CBC-SHA
Value: "false"
- Name: PSK-3DES-EDE-CBC-SHA
Value: "false"
- Name: KRB5-DES-CBC3-SHA
Value: "false"
- Name: KRB5-DES-CBC3-MD5
Value: "false"
- Name: PSK-AES128-CBC-SHA
Value: "false"
- Name: PSK-RC4-SHA
Value: "false"
- Name: KRB5-RC4-SHA
Value: "false"
- Name: KRB5-RC4-MD5
Value: "false"
- Name: KRB5-DES-CBC-SHA
Value: "false"
- Name: KRB5-DES-CBC-MD5
Value: "false"
- Name: EXP-EDH-RSA-DES-CBC-SHA
Value: "false"
- Name: EXP-EDH-DSS-DES-CBC-SHA
Value: "false"
- Name: EXP-ADH-DES-CBC-SHA
Value: "false"
- Name: EXP-DES-CBC-SHA
Value: "false"
- Name: EXP-RC2-CBC-MD5
Value: "false"
- Name: EXP-KRB5-RC2-CBC-SHA
Value: "false"
- Name: EXP-KRB5-DES-CBC-SHA
Value: "false"
- Name: EXP-KRB5-RC2-CBC-MD5
Value: "false"
- Name: EXP-KRB5-DES-CBC-MD5
Value: "false"
- Name: EXP-ADH-RC4-MD5
Value: "false"
- Name: EXP-RC4-MD5
Value: "false"
- Name: EXP-KRB5-RC4-SHA
Value: "false"
- Name: EXP-KRB5-RC4-MD5
Value: "false"
Listeners:
- InstancePort: '80'
LoadBalancerPort: '80'
Expand Down
Loading

0 comments on commit eeb0bb5

Please sign in to comment.