Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Does ALB send SNI information in TLS handshake to a back-end server

0

I am trying to setup HTTPS end-to-end connection from my browser to a server running on an EC2 instance through ALB. The front-end connection from my browser to ALB goes through fine. But, the ALB to back-end TLS handshake fails as server_name extension (SNI information) is not sent by ALB during TLS Client Hello handshake (as I see in packet-capture).

Is there a way to forward SNI information received from front-end https connection by ALB to the back-end https connection too?

Tags
Application Load Balancer
Sprache
English
mrichanmouli
gefragt vor 2 Jahren3011 Aufrufe
1 Antwort
0

Hello, You mention that you are trying to send SNI information to your backend by the means an ALB. As you mentioned the load balancer does not forward the SNI to the respective targets when the connection is between the load balancer and the target over TLS. The Application Load Balancer does not look for a domain name when processing the TLS handshake with the backend. It is merely there to make sure that you have a valid certificate with the accepted ciphers.

The solution to workaround it would be:

1. Use a NLB with a TCP:443 listener which would pass the SNI extension specified by the client to the targets[1].

2. Making use of ALB SNI abilities to check the Domain name and then forward to different target groups [2].

References:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html#listener-configuration

[2] https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

Antonio
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt