TLS offload on Nginx with CloudHSM for *non HTTPS* protocols


CloudHSM documentation has instructions for setting up TLS offload for HTTPS on Nginx using the AWS OpenSSL Dynamic Engine .

Will this also work for non HTTPS connections? That is, for plain TLS/TCP socket connections?

We have been told by AWS representatives that it will not. But is that correct? It seems like the crypto operations would still go through OpenSSL and therefore the engine. Or is it a limitation of the AWS OpenSSL Dynamic Engine specifically?

If so should it instead be possible to use the OpenSC pkcs11 engine talking to the CloudHSM PKCS #11 library? Or is there some limitation of that library too? Anyone tried this?

CloudHSM is expensive so I'm hoping for some expertise from anyone before having to just try it.

2 Answers
Accepted Answer

Eventually I just tried it. It does work.

You can set up TLS termination in Nginx offloaded to CloudHSM and proxy non-HTTPS TLS connections through Nginx (stream block with server containing proxy-pass directive) to TCP on the back-end side.

This is not surprising since the OpenSSL Engine functionality is used for the offload, and OpenSSL doesn't know if it's HTTPS or not.

answered 12 days ago


From the correspondence I understand that you would like to know if TLS offloading that is documented for HTTPS would work for non HTTPS TLS connections.

In regards to TLS offloading we have examples of this for HTTPs using a third party product such as nginx, apache or openssl which are not AWS products. These examples would work specifically for HTTPS connections. Ultimately TLS offloading with an non HTTPs connection would be possible if there were an integration with a third party product or a custom solution as this is not a built in feature with CloudHSM. Currently AWS does not have an example for use with an SSL connection not using HTTPs at this time.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions