A customer (on basic support) is connecting to an ALB over HTTPS from an internal network and is getting TCP RSTs from the ALB after sending the ClientHello for the TLS handshake. Clients outside of this particular network, are able to connect to the ALB over HTTPS with no problem.
After comparing the ssldumps, we noticed the ClientHello from inside the network includes several TLS extensions whereas the ClientHello from outside the network includes no TLS extensions. The TLS extensions included in the ClientHellow are: ec_point_formats, supported_groups, SessionTicket, signature_algorithms, and heartbeat. See the ssldump below.
Separately, the customer noticed a spike in ClientTLSNegotiationErrorCount during testing so I have asked the customer to enable Access Logs for ALB to see if the server-side logs provide any insight.
Does ALB support TLS extensions? If so, which extensions are supported? If not, why?
ClientHello:
New TCP connection #1: X.X.X.X(57358) <-> Y.Y.Y.Y(443)
1 1 0.0821 (0.0821) C>SV3.1(272) Handshake
ClientHello
Version 3.3
random[32]=
ee 55 dd 17 41 98 37 d8 d5 75 04 64 ed 5f 25 31
70 6a f8 12 7d c6 52 96 af 7c 33 7e e6 ea 0b f6
cipher suites
(withheld to preserve space)
compression methods
NULL
extensions
ec_point_formats
supported_groups
SessionTicket
signature_algorithms
signature_algorithms[30]=
06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02
04 03 03 01 03 02 03 03 02 01 02 02 02 03
heartbeat
1 0.1657 (0.0835) S>C TCP RST