By using AWS re:Post, you agree to the Terms of Use

ALB TLS Extensions?

0

A customer (on basic support) is connecting to an ALB over HTTPS from an internal network and is getting TCP RSTs from the ALB after sending the ClientHello for the TLS handshake. Clients outside of this particular network, are able to connect to the ALB over HTTPS with no problem.

After comparing the ssldumps, we noticed the ClientHello from inside the network includes several TLS extensions whereas the ClientHello from outside the network includes no TLS extensions. The TLS extensions included in the ClientHellow are: ec_point_formats, supported_groups, SessionTicket, signature_algorithms, and heartbeat. See the ssldump below.

Separately, the customer noticed a spike in ClientTLSNegotiationErrorCount during testing so I have asked the customer to enable Access Logs for ALB to see if the server-side logs provide any insight.

Does ALB support TLS extensions? If so, which extensions are supported? If not, why?

ClientHello:

New TCP connection #1: X.X.X.X(57358) <-> Y.Y.Y.Y(443)
1 1  0.0821 (0.0821)  C>SV3.1(272)  Handshake
      ClientHello
        Version 3.3 
        random[32]=
          ee 55 dd 17 41 98 37 d8 d5 75 04 64 ed 5f 25 31 
          70 6a f8 12 7d c6 52 96 af 7c 33 7e e6 ea 0b f6 
        cipher suites
          (withheld to preserve space)
        compression methods
                  NULL
        extensions
          ec_point_formats
          supported_groups
          SessionTicket
          signature_algorithms
            signature_algorithms[30]=
              06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 
              04 03 03 01 03 02 03 03 02 01 02 02 02 03 
          heartbeat
1    0.1657 (0.0835)  S>C  TCP RST
1 Answer
0
Accepted Answer

ClientTLSNegotiationErrorCount indicate the number of TLS connections initiated by clients towards the load balancer that were unsuccessful. Generally, this is happens when the client and load balancer could not agree on a cipher/protocol combination.

A few things are missing from the question:

  1. Do you have customer ALB's FQDN?
  2. What client does customer use? That SSL version and cipher suite does it use?
  3. Any particular error message the client saw before ALB RST the connection?

You mention that the issue happens in a particular internal network. Are the clients that same in the external and internal network? Does the internal network has any SSL proxy by any chance?

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions