AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How can I determine if my load balancer supports SSL/TLS renegotiation?

1 minute read

I want to determine if my load balancer supports Secure Sockets Layer/Transport Layer Security (SSL/TLS) renegotiation.

Resolution

Support of SSL/TLS renegotiation varies by the load balancer type:

Classic Load Balancers: Classic Load Balancers support secure client-initiated renegotiations for inbound SSL/TLS client connections. They also support server-initiated renegotiation for the backend SSL/TLS connection.

Note: To turn off client-initiated renegotiations for inbound SSL/TLS connections, migrate to an Application Load Balancer where these renegotiations aren't supported.
Application Load Balancers: Application Load Balancers support SSL/TLS renegotiation for target connections. They don't support client-initiated renegotiations for inbound SSL client connections.

Note: Application Load Balancers support client-initiated resumptions for inbound SSL client connections.
Network Load Balancers: Network Load Balancers don't support SSL/TLS renegotiation.

All load balancers support session resumption. However, only Network Load Balancers support resumption of an SSL session with a different IP address that's associated with the same load balancer.

Related Information

Update the SSL negotiation configuration of your Classic Load Balancer

Security policies for your Application Load Balancer

Topics: Networking & Content Delivery
Tags: Elastic Load Balancing
Language: English

AWS OFFICIALUpdated 17 days ago

2 Comments

Hello, I would like to clarify this:

Application Load Balancers: Application Load Balancers support SSL/TLS renegotiation for target connections. They don't support client-initiated renegotiations for incoming SSL client connections.

Does it means that an external application calling an endpoint served through ALB wont be able to renegociate TLS? (and have to do full negotiation on every new connection)

Best.

Mauricio

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 3 months ago

Relevant content

How to enable SSL Renegotiation on ALB to accept a self signed certificate?
Accepted Answer
rePost-User-8075085
asked 2 years ago
Does VPN Site to Site uses the LifeSize renegotiation option, I don't see it in the configuration values?
Accepted Answer
IssacG
asked a year ago
How to determine target group health check settings ?
JerryTsai
asked a year ago
Load Balancing HTTPS (port 443) is 'unhealthy' , but HTTP (port 80) is 'healthy'
Accepted Answer
mark
asked 3 years ago
Getting this AWS account currently does not support creating load balancers. For more information, please contact AWS Support.
Billbxa
asked 4 months ago
Do Classic Load Balancers, Application Load Balancers, and Network Load Balancers support SSL/TLS session resumption?
AWS OFFICIALUpdated 3 years ago
Why do I get a client SSL/TLS negotiation error when I connect to my load balancer?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot TCP connectivity issues on my Network Load Balancer?
AWS OFFICIALUpdated a year ago
How do I troubleshoot 503 (service unavailable) errors from my Application Load Balancer?
AWS OFFICIALUpdated 4 years ago
Why do SSL/TLS negotiation errors occur when connecting to an Application Load Balancer over HTTPS, and how can I identify the responsible client IP?
SUPPORT ENGINEER
Sarah Park
published 9 months ago