SSL_PROTOCOLS_OVERRIDE: Control SSL / TLS Protocols
The SSL_PROTOCOLS_OVERRIDE variable lets you customize the SSL Protocols allowed on your Endpoint.
Available protocols depend on your Endpoint platform:
- For ALB Endpoints: you can choose from these 8 combinations:
TLSv1 TLSv1.1 TLSv1.2(default)TLSv1 TLSv1.1 TLSv1.2 PFSTLSv1.1 TLSv1.2TLSv1.1 TLSv1.2 PFSTLSv1.2TLSv1.2 PFSTLSv1.2 PFS TLSv1.3(see note below comparing ciphers toTLSv1.2 PFS)TLSv1.3
PFS ensures your Endpoint’s ciphersuites support perfect forward secrecy on TLSv1.2 or earlier. TLSv1.3 natively includes perfect forward secrecy.
Note for TLSv1.2 PFS TLSv1.3, compared to ciphers for TLSv1.2 PFS, this adds TLSv1.3 ciphers and omits the following:- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- For Legacy ELB endpoints: the format is Nginx’s ssl_protocols directive. Pay very close attention to the format! A bad variable will prevent the proxies from starting.
The format for ALBs and ELBs is effectively identical: the only difference is the supported protocols. This means that if you have both ELB Endpoints and ALB Endpoints on a given app, or if you’re upgrading from ELB to ALB, things will work as expected as long as you use protocols supported by ALBs, which are stricter.
SSL_CIPHERS_OVERRIDE: Control ciphers
This variable is only available on Legacy ELB endpoints. On ALB Endpoints, you normally don’t need to customize the ciphers available.
DISABLE_WEAK_CIPHER_SUITES: an opinionated policy for ELBs
This variable is only available on Legacy ELB endpoints. On ALB Endpoints, weak ciphers are disabled by default, so that setting has no effect.
true (it has to be the exact string true) causes your Endpoint to stop accepting traffic over the SSLv3 protocol or using the RC4 cipher.
We strongly recommend setting this variable to true on all ELB Endpoints nowadays. Or, better, yet, upgrade to ALB Endpoints, where that’s the default.