Which SSL ciphers for PCI compliance on Amazon AWS ELB?
We're trying for PCI compliance on a load balanced EC2 instance on AWS. One issue we have to resolve is our load balancer accepts weak ciphers. However, ELB doesn't support the cipher suite, so I have to manually set each cipher one by one. Problem is, I can't find a list of what qualifies as a strong cipher. For example, which ciphers does this setting translate to:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
It's surprisingly hard to find this information, and amazon doesn't have a default PCI compliant setting (which seems so silly - they have two default policies, why not have a third called "Strong PCI" or something).
Answer
Update/Hint: Please make sure to read Seamus' follow up comments as well to ease your way towards PCI certification of an ELB setup, insofar picking the correct SSL ciphers turned out to be one part of the puzzle only.
Quite a puzzle - a default PCI compliant Elastic Load Balancing (ELB) setting would be extremely helpful indeed ;)
You can find all these tags deciphered in the Apache documentation of the SSLCipherSuite directive, e.g.:
- !aNULL - not No authentication
- !ADH - not all ciphers using Anonymous Diffie-Hellman key exchange
- !eNULL - not No encoding
- ...
This should allow you to translate them to the respective ELB settings as discussed in Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication and Configuring SSL Ciphers specifically.
Good luck!