AWS ELBs have a series of "policies" which group different HTTPS (read: TLS and SSL) profiles together. It is possible that the "2011-08" policy would be appropriate for this purpose (remains to be verified), otherwise we can define a custom policy that fits our needs. Unfortunately for us, these policies cannot currently be managed in Terraform, so this may end up be trickier than we'd first envisioned.
One possible workaround is to use local-exec to apply the policy manually, as suggested by t0m on IRC: http://paste.scsys.co.uk/488127
provisioner "local-exec" {
command = "aws elb create-load-balancer-policy --region ${var.region} --profile ${var.account} --load-balancer-name ${aws_elb.extelb.name} --policy-name EnableProxyProtocol --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True"
}
provisioner "local-exec" {
command = "aws elb set-load-balancer-policies-for-backend-server --region ${var.region} --profile ${var.account} --load-balancer-name ${aws_elb.extelb.name} --instance-port 80 --policy-names EnableProxyProtocol"
}
provisioner "local-exec" {
command = "aws elb set-load-balancer-policies-for-backend-server --region ${var.region} --profile ${var.account} --load-balancer-name ${aws_elb.extelb.name} --instance-port 443 --policy-names EnableProxyProtocol"
}
See also: https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-config-update.html
Based on that document:
### SSL policies aren't handled natively by TF, so here we go...
provisioner "local-exec" {
command = "aws elb create-load-balancer-policy --region ${var.region} --load-balancer-name ${aws_elb.elb-collector-oldssl.name} --policy-name oldssl --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2011-08"
}
provisioner "local-exec" {
command = "aws elb set-load-balancer-policies-of-listener --region ${var.region} --load-balancer-name ${aws_elb.elb-collector-oldssl.name} --load-balancer-port 443 --policy-names oldssl"
}
Using cipherscan to check the endpoints; first the extant (modern) endpoint:
prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1
3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
4 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1
5 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1
6 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1
7 AES128-GCM-SHA256 TLSv1.2 None None
8 AES128-SHA256 TLSv1.2 None None
9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None
10 AES256-GCM-SHA384 TLSv1.2 None None
11 AES256-SHA256 TLSv1.2 None None
12 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None
13 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Cipher ordering: server
Now the endpoint that's set set to use the ancient, crufty SSL policy (from above):
prio ciphersuite protocols pfs
1 DHE-RSA-AES256-SHA SSLv3,TLSv1 DH,1024bits None
2 DHE-RSA-CAMELLIA256-SHA SSLv3,TLSv1 DH,1024bits None
3 AES256-SHA SSLv3,TLSv1 None None
4 CAMELLIA256-SHA SSLv3,TLSv1 None None
5 DHE-RSA-AES128-SHA SSLv3,TLSv1 DH,1024bits None
6 DHE-RSA-CAMELLIA128-SHA SSLv3,TLSv1 DH,1024bits None
7 AES128-SHA SSLv3,TLSv1 None None
8 CAMELLIA128-SHA SSLv3,TLSv1 None None
9 RC4-SHA SSLv3,TLSv1 None None
10 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1 DH,1024bits None
11 DES-CBC3-SHA SSLv3,TLSv1 None None
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Cipher ordering: client
So far so good, but it's possible (likely?) that a new cert will need to be generated that uses SHA1 instead of SHA256.