Can an ALB send SNI to the target group?

Question

It seems that when the ALB is attempting to connect with a target server over TLS, that the SNI from the client is not passed in the client hello. Without the SNI, a Windows server will not negotiate a connection protocol. Instead the server will send an RST resulting in a 502 bad gateway error.

Without this setting it is impossible to use the application load balancer with a windows server over TLS.

Answer

Sound alike your performing mutal TLS from the client to the server. If you are you need to use an NLB TCP or and ALB with mtls https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html

Usually a SSL client connects to an ALB and the ALB makes the connection between itself to the target group. The client certificate hello never goes to the server with the standard ALB

If you’re not doing Mtls perhaps you’ve a miss configuration on the target group. You could be trying to use tls on a http port otherwise.

Answer

Gary,
Thank you for taking the time to try to help.  I want to use the ALB because it will allow me to use a WAF.  The Windows Server 2022 target works with SSL from everywhere except from the ALB.  After spending may hours with Wireshark, the only thing I can point to is the missing domain name in the Client Hello.  The server refuses to send a Server Hello to the ALB and instead sends an RST.  I have tried selecting the mTLS option and it does not make a difference.

I cannot find any reason why the ALB should not work with a standard Windows EC2 instance, but it just does not.  This exact configuration was working as expected with Server 2012.

Again, thank you for your reply.

Can an ALB send SNI to the target group?

관련 콘텐츠