Skip to content

Commit

Permalink
Add new ELBv2 ssl protocols, add small helper script to fetch them (#…
Browse files Browse the repository at this point in the history 
…7009)
  • Loading branch information
@dfangl
dfangl authored Nov 10, 2023
1 parent c04ff77 commit 5cabac5
Show file tree
Hide file tree
Showing 3 changed files with 281 additions and 24 deletions.
262 changes: 239 additions & 23 deletions moto/elbv2/responses.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@

SSL_POLICIES = [
{
"name": "ELBSecurityPolicy-2016-08",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
Expand All @@ -29,10 +27,151 @@
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-2016-08",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 11},
],
"name": "ELBSecurityPolicy-TLS13-1-2-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 6},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 7},
],
"name": "ELBSecurityPolicy-TLS13-1-2-Res-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 11},
{"name": "AES128-GCM-SHA256", "priority": 12},
{"name": "AES128-SHA256", "priority": 13},
{"name": "AES256-GCM-SHA384", "priority": 14},
{"name": "AES256-SHA256", "priority": 15},
],
"name": "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 8},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 12},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 13},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 14},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 15},
{"name": "AES128-GCM-SHA256", "priority": 16},
{"name": "AES128-SHA256", "priority": 17},
{"name": "AES128-SHA", "priority": 18},
{"name": "AES256-GCM-SHA384", "priority": 19},
{"name": "AES256-SHA256", "priority": 20},
{"name": "AES256-SHA", "priority": 21},
],
"name": "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 8},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 12},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 13},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 14},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 15},
{"name": "AES128-GCM-SHA256", "priority": 16},
{"name": "AES128-SHA256", "priority": 17},
{"name": "AES128-SHA", "priority": 18},
{"name": "AES256-GCM-SHA384", "priority": 19},
{"name": "AES256-SHA256", "priority": 20},
{"name": "AES256-SHA", "priority": 21},
],
"name": "ELBSecurityPolicy-TLS13-1-1-2021-06",
"ssl_protocols": ["TLSv1.1", "TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 8},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 12},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 13},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 14},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 15},
{"name": "AES128-GCM-SHA256", "priority": 16},
{"name": "AES128-SHA256", "priority": 17},
{"name": "AES128-SHA", "priority": 18},
{"name": "AES256-GCM-SHA384", "priority": 19},
{"name": "AES256-SHA256", "priority": 20},
{"name": "AES256-SHA", "priority": 21},
],
"name": "ELBSecurityPolicy-TLS13-1-0-2021-06",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"],
},
{
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
],
"name": "ELBSecurityPolicy-TLS13-1-3-2021-06",
"ssl_protocols": ["TLSv1.3"],
},
{
"name": "ELBSecurityPolicy-TLS-1-2-2017-01",
"ssl_protocols": ["TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
Expand All @@ -47,10 +186,34 @@
{"name": "AES256-GCM-SHA384", "priority": 11},
{"name": "AES256-SHA256", "priority": 12},
],
"name": "ELBSecurityPolicy-TLS-1-2-2017-01",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
{"name": "AES128-GCM-SHA256", "priority": 13},
{"name": "AES128-SHA256", "priority": 14},
{"name": "AES128-SHA", "priority": 15},
{"name": "AES256-GCM-SHA384", "priority": 16},
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-TLS-1-1-2017-01",
"ssl_protocols": ["TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
Expand All @@ -71,10 +234,28 @@
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
"ssl_protocols": ["TLSv1.2"],
},
{
"name": "ELBSecurityPolicy-2015-05",
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
],
"name": "ELBSecurityPolicy-FS-2018-06",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
Expand All @@ -95,10 +276,10 @@
{"name": "AES256-SHA256", "priority": 17},
{"name": "AES256-SHA", "priority": 18},
],
"name": "ELBSecurityPolicy-2015-05",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"name": "ELBSecurityPolicy-TLS-1-0-2015-04",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
Expand All @@ -120,33 +301,68 @@
{"name": "AES256-SHA", "priority": 18},
{"name": "DES-CBC3-SHA", "priority": 19},
],
"name": "ELBSecurityPolicy-TLS-1-0-2015-04",
"ssl_protocols": ["TLSv1", "TLSv1.1", "TLSv1.2"],
},
{
"name": "ELBSecurityPolicy-FS-1-2-Res-2020-10",
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 5},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 8},
],
"name": "ELBSecurityPolicy-FS-1-2-Res-2019-08",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 3},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
],
"name": "ELBSecurityPolicy-FS-1-1-2019-08",
"ssl_protocols": ["TLSv1.1", "TLSv1.2"],
},
{
"name": "ELBSecurityPolicy-TLS13-1-2-2021-06",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"],
"ciphers": [
{"name": "TLS_AES_128_GCM_SHA256", "priority": 1},
{"name": "TLS_AES_256_GCM_SHA384", "priority": 2},
{"name": "TLS_CHACHA20_POLY1305_SHA256", "priority": 3},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 4},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 5},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 6},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 7},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 9},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 11},
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES128-SHA256", "priority": 3},
{"name": "ECDHE-RSA-AES128-SHA256", "priority": 4},
{"name": "ECDHE-ECDSA-AES128-SHA", "priority": 5},
{"name": "ECDHE-RSA-AES128-SHA", "priority": 6},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 7},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 8},
{"name": "ECDHE-ECDSA-AES256-SHA384", "priority": 9},
{"name": "ECDHE-RSA-AES256-SHA384", "priority": 10},
{"name": "ECDHE-RSA-AES256-SHA", "priority": 11},
{"name": "ECDHE-ECDSA-AES256-SHA", "priority": 12},
],
"name": "ELBSecurityPolicy-FS-1-2-2019-08",
"ssl_protocols": ["TLSv1.2"],
},
{
"ciphers": [
{"name": "ECDHE-ECDSA-AES128-GCM-SHA256", "priority": 1},
{"name": "ECDHE-RSA-AES128-GCM-SHA256", "priority": 2},
{"name": "ECDHE-ECDSA-AES256-GCM-SHA384", "priority": 3},
{"name": "ECDHE-RSA-AES256-GCM-SHA384", "priority": 4},
],
"name": "ELBSecurityPolicy-FS-1-2-Res-2020-10",
"ssl_protocols": ["TLSv1.2"],
},
]

Expand Down
41 changes: 41 additions & 0 deletions scripts/update_ssl_policies.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/bin/bash
import json

import boto3
import re

CAMEL_CASE_PATTERN = re.compile(r"(?<!^)(?=[A-Z])")

KEY_BLACKLIST = ["SupportedLoadBalancerTypes"]

def camel_case_to_snake_case(name: str):
return CAMEL_CASE_PATTERN.sub("_", name).lower()


def get_ssl_elb_ssl_policies():
elbv2_client = boto3.client("elbv2")
return elbv2_client.describe_ssl_policies()["SslPolicies"]


def transform_policies(ssl_policies: dict):
if isinstance(ssl_policies, list):
return [transform_policies(item) for item in ssl_policies]
if not isinstance(ssl_policies, dict):
return ssl_policies
result = {}
for key, value in sorted(ssl_policies.items()):
if key in KEY_BLACKLIST:
continue
new_key = camel_case_to_snake_case(key)
result[new_key] = transform_policies(value)
return result


def main():
policies = get_ssl_elb_ssl_policies()
transformed_policies = transform_policies(policies)
print(json.dumps(transformed_policies, indent=4))


if __name__ == "__main__":
main()
2 changes: 1 addition & 1 deletion tests/test_elbv2/test_elbv2.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1120,7 +1120,7 @@ def test_describe_ssl_policies():
client = boto3.client("elbv2", region_name="eu-central-1")

resp = client.describe_ssl_policies()
assert len(resp["SslPolicies"]) == 7
assert len(resp["SslPolicies"]) > 0

resp = client.describe_ssl_policies(
Names=["ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-2016-08"]
Expand Down

0 comments on commit 5cabac5

Please sign in to comment.