How to set "server preference" for tls cipher suites?

jww asked:

Mozilla has a tool to generate server configurations at Mozilla SSL Configuration Generator. For Amazon Elastic Load Balancing (ELB), the configuration does not appear to have a setting for “use server preference”.

“Use server preference” is an important server-side option because it ensures the server’s choice of cipher suite is used (as opposed to using the client’s cipher suite) (modulo the intersection of them). In Apache, the setting is SSLHonorCipherOrder. In OpenSSL, the setting is SSL_OP_CIPHER_SERVER_PREFERENCE.

What is the ELB setting to ensure the server’s preference for cipher suites is used?

My answer:


Amazon’s predefined security policies already do this.

If you’re trying to use the CloudFormation template that Mozilla gave you, you will see that the attribute is already there.

{
    "Name": "Server-Defined-Cipher-Order",
    "Value": true
},

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.