Scoring A+ for SSL Labs on My Cloudfront-Hosted Static Website
I previously covered how I scored A+ for security headers on my site, which uses AWS CloudFront. I didn’t touch on scoring A+ for your TLS configuration though.
The industry standard checker for this is Qualys SSL Labs. As I discovered on Twitter yesterday, it now caps your grade at a B if you leave the deprecated TLS 1.0 or 1.1 enabled.
CloudFront are generally good at securing the default configuration, for example by removing broken cipher suites. I think my site was previously an A+ - but with this change, the default configuration is now capped at B.
Disabling TLS 1.0 and 1.1 will lock out very old browsers, but that’s normally worth it. Support will be removed from all major browsers in March 2020.
Without a custom domain name, it seems you can only use TLS 1.0, as the docs state:
If the distribution uses the CloudFront domain name such asd111111abcdef8.cloudfront.net
(you setCloudFrontDefaultCertificate
totrue
), CloudFront automatically sets the security policy toTLSv1
regardless of the value that you set here.
Thankfully my site uses a custom domain name. I ran the scanner on my site and saw that measly B:
Fixing it
To fix it, I needed to change what the console sensibly calls the distribution’s Security Policy:
In the API it’s called MinimumProtocolVersion
in the ViewerCertificate
configuration.
(Confusingly the console recommends TLSv1.1_2016 while the linked documentation recommends TLSv1.2_2018. I think there’s some internal lag for changing copy at AWS.)
I use CloudFormation to configure my site resources. The syntax there mimics the API. I thus needed to set the DistributionConfig.ViewerCertificate.MinimumProtocolVersion
property in my Cloudformation template. This looked like:
CloudfrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- adamj.eu
Comment: adamj.eu
# ...
ViewerCertificate:
AcmCertificateArn: !Ref Certificate
MinimumProtocolVersion: TLSv1.2_2018
SslSupportMethod: sni-only
After deploying this change, I’m back to an A+!
Further Reading
- TLS version history on Wikipedia - including links to deprecation articles.
- Back in May last year Scott Helme deprecated TLS 1.0 and 1.1 on his site by adding a banner using CloudFlare workers. The equivalent might be possible on CloudFront using Lambda@Edge, as I use for my security headers.
Read my book Boost Your Git DX to Git better.
One summary email a week, no spam, I pinky promise.
Related posts:
- Scoring A+ for Security Headers on My Cloudfront-Hosted Static Website
- How to Score A+ for Security Headers on Your Django Website
- Validating CloudFormation Templates With cfn-lint
Tags: aws, cloudformation