As a standard part of our security review process, we will be changing the set of ciphers supported by our web servers in our AWS ELB cluster. The changes will go live on Feb 28th, 2018.
The following cipher is being dropped:
We are adding a new cipher:
With this change we are effectively enabling the ELBSecurityPolicy-TLS-1-2-2017-01 pre-defined security policy available on Amazon’s Elastic Load Balancer. You can find more information about the security policy here.
Qn: What does it mean to disable an existing cipher?
A client (such as a browser) typically supports multiple ssl ciphers. As part of the handshake the client and server agree on one specific cipher. If the server rejects a requested cipher (because it is no longer supported) the standard protocol is for the client to request another cipher from its list of supported ciphers. All standard browsers and most API SDKs work on these principles and the change should be completely transparent to end users.
Qn: Why is this change required?
This is a standard part of keeping our security infrastructure up to date. It is security Best Practise to replace ciphers that have been shown to have theoretical vulnerabilities with more robust ones.
Qn: I am using a custom API integration with a highly bespoke SSL wrapper and I use one of the ciphers that are going to be disabled. What should I do?
You can test your software by requesting one of the supported ciphers listed in the AWS page linked above. If any of them work, you can configure your wrapper to request that supported cipher instead of one of the disabled ones.
Qn: Will there be any disruption of service during this change?
No. There will be absolutely no disruption if you are using a standard web browser to interact with our application, or if you are using any standard SSL SDK.
Qn: I need more help. What can I do?
We are happy to help. Please leave a comment below or send us a note at firstname.lastname@example.org