By using AWS re:Post, you agree to the Terms of Use

ALB TLS Extensions?


A customer (on basic support) is connecting to an ALB over HTTPS from an internal network and is getting TCP RSTs from the ALB after sending the ClientHello for the TLS handshake. Clients outside of this particular network, are able to connect to the ALB over HTTPS with no problem.

After comparing the ssldumps, we noticed the ClientHello from inside the network includes several TLS extensions whereas the ClientHello from outside the network includes no TLS extensions. The TLS extensions included in the ClientHellow are: ec_point_formats, supported_groups, SessionTicket, signature_algorithms, and heartbeat. See the ssldump below.

Separately, the customer noticed a spike in ClientTLSNegotiationErrorCount during testing so I have asked the customer to enable Access Logs for ALB to see if the server-side logs provide any insight.

Does ALB support TLS extensions? If so, which extensions are supported? If not, why?


New TCP connection #1: X.X.X.X(57358) <-> Y.Y.Y.Y(443)
1 1  0.0821 (0.0821)  C>SV3.1(272)  Handshake
        Version 3.3 
          ee 55 dd 17 41 98 37 d8 d5 75 04 64 ed 5f 25 31 
          70 6a f8 12 7d c6 52 96 af 7c 33 7e e6 ea 0b f6 
        cipher suites
          (withheld to preserve space)
        compression methods
              06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 
              04 03 03 01 03 02 03 03 02 01 02 02 02 03 
1    0.1657 (0.0835)  S>C  TCP RST
1 Answer
Accepted Answer

ClientTLSNegotiationErrorCount indicate the number of TLS connections initiated by clients towards the load balancer that were unsuccessful. Generally, this is happens when the client and load balancer could not agree on a cipher/protocol combination.

A few things are missing from the question:

  1. Do you have customer ALB's FQDN?
  2. What client does customer use? That SSL version and cipher suite does it use?
  3. Any particular error message the client saw before ALB RST the connection?

You mention that the issue happens in a particular internal network. Are the clients that same in the external and internal network? Does the internal network has any SSL proxy by any chance?

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions