Amazon ELB Protocols & Ciphers for PCI Compliance

If you are terminating SSL on Amazon’s Elastic Load Balancer  and need PCI Compliance, these are the protocols and ciphers I used that passed PCI Compliance

SSL Protocols

  • Protocol-SSLv3
  • Protocol-TLSv1.1
  • Protocol-TLSv1.2

SSL Ciphers

  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA

Adding RC4-MD5 & RC4-SHA and a few others will not fail a PCI scan however they come up as low vulnerabilities with CVSS  scores averaging 2.6. I was aiming for an all-zeros scan result.
Not enabling these had no knock on effects.

You can also run a Qualys SSL Lab test – https://www.ssllabs.com/ssltest/ to check your protocols & ciphers before running a full PCI scan.

Using the SSL Lab test tool and Nessus I was able to achieve an all-zeros PCI scan and an A rating SSL Certificate test