Class SslPolicy
Elastic Load Balancing provides the following security policies for Application Load Balancers.
Inheritance
Namespace: Amazon.CDK.AWS.ElasticLoadBalancingV2
Assembly: Amazon.CDK.AWS.ElasticLoadBalancingV2.dll
Syntax (csharp)
public sealed class SslPolicy : Enum
Syntax (vb)
Public NotInheritable Class SslPolicy
Inherits
Enum
Remarks
We recommend the Recommended policy for general use. You can use the ForwardSecrecy policy if you require Forward Secrecy (FS).
You can use one of the TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.
See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
ExampleMetadata: infused
Examples
using Amazon.CDK.AWS.Route53;
using Amazon.CDK.AWS.CertificateManager;
using Amazon.CDK.AWS.ElasticLoadBalancingV2;
Vpc vpc;
Cluster cluster;
var domainZone = HostedZone.FromLookup(this, "Zone", new HostedZoneProviderProps { DomainName = "example.com" });
var certificate = Certificate.FromCertificateArn(this, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg");
var loadBalancedFargateService = new ApplicationLoadBalancedFargateService(this, "Service", new ApplicationLoadBalancedFargateServiceProps {
Vpc = vpc,
Cluster = cluster,
Certificate = certificate,
SslPolicy = SslPolicy.RECOMMENDED,
DomainName = "api.example.com",
DomainZone = domainZone,
RedirectHTTP = true,
TaskImageOptions = new ApplicationLoadBalancedTaskImageOptions {
Image = ContainerImage.FromRegistry("amazon/amazon-ecs-sample")
}
});
Synopsis
Fields
FORWARD_SECRECY | Forward secrecy ciphers only. |
FORWARD_SECRECY_TLS11 | Forward secrecy ciphers only with TLS1.1 and higher. |
FORWARD_SECRECY_TLS12 | Forward secrecy ciphers and TLS1.2 only. |
FORWARD_SECRECY_TLS12_RES | Strong forward secrecy ciphers and TLS1.2 only. |
FORWARD_SECRECY_TLS12_RES_GCM | Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers. |
LEGACY | Support for DES-CBC3-SHA. |
RECOMMENDED | The recommended security policy. |
TLS11 | TLS1.1 and higher with all ciphers. |
TLS12 | TLS1.2 only and no SHA ciphers. |
TLS12_EXT | TLS1.2 only with all ciphers. |
value__ |
Fields
FORWARD_SECRECY
Forward secrecy ciphers only.
public const SslPolicy FORWARD_SECRECY
Field Value
Type | Description |
---|---|
SslPolicy |
FORWARD_SECRECY_TLS11
Forward secrecy ciphers only with TLS1.1 and higher.
public const SslPolicy FORWARD_SECRECY_TLS11
Field Value
Type | Description |
---|---|
SslPolicy |
FORWARD_SECRECY_TLS12
Forward secrecy ciphers and TLS1.2 only.
public const SslPolicy FORWARD_SECRECY_TLS12
Field Value
Type | Description |
---|---|
SslPolicy |
FORWARD_SECRECY_TLS12_RES
Strong forward secrecy ciphers and TLS1.2 only.
public const SslPolicy FORWARD_SECRECY_TLS12_RES
Field Value
Type | Description |
---|---|
SslPolicy |
FORWARD_SECRECY_TLS12_RES_GCM
Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
public const SslPolicy FORWARD_SECRECY_TLS12_RES_GCM
Field Value
Type | Description |
---|---|
SslPolicy |
LEGACY
Support for DES-CBC3-SHA.
public const SslPolicy LEGACY
Field Value
Type | Description |
---|---|
SslPolicy |
Remarks
Do not use this security policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.
RECOMMENDED
The recommended security policy.
public const SslPolicy RECOMMENDED
Field Value
Type | Description |
---|---|
SslPolicy |
TLS11
TLS1.1 and higher with all ciphers.
public const SslPolicy TLS11
Field Value
Type | Description |
---|---|
SslPolicy |
TLS12
TLS12_EXT
TLS1.2 only with all ciphers.
public const SslPolicy TLS12_EXT
Field Value
Type | Description |
---|---|
SslPolicy |
value__
public int value__
Field Value
Type | Description |
---|---|
System.Int32 |