'Can an Amazon ELB break mutual TLS authentication?
I have a service running behind an ELB on AWS Fargate as a docker container with nginx inside it on port 443 (https).
I have added client certificates to my nginx.conf:
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate "/etc/pki/nginx/clientcert.pem";
I test the docker container both locally and deployed on AWS Fargate.
openssl s_client -connect localhost:8443 -state -debug >local.log 2>&1
openssl s_client -connect my.aws.site.net:443 -state -debug >fargate.log 2>&1
When I run the docker container on my own machine, I see it requests certs, but not on Fargate.
Now, on Fargate there is an elastic load-balancer (ELB) between me and my docker container. This ELB swaps out the certificate with its own. In effect the ELB reads the HTTPS response from my container, decrypts it and then re-encrypt it with its own public certificates (is this called TLS Termination?). I am wondering if it is also possible the ELB scrubs out any client certificate requests?
Edit: Maybe this is relevant - AWS EC2 Application Load Balancer + Two-Way SSL?
Solution 1:[1]
I think what happens is if you are using ALB it would terminate the SSL. However if you dont want SSL to be terminated at Load Balancer and instead at your NGINX server you can use NLB which I believe wont terminate the SSL.
Solution 2:[2]
After some more research, I have become convinced that it does indeed break mTLS simply because it terminates the TLS connection so we don't really have a TLS connection between the client and our backend server.
We have two separate TLS connections - one between client and ELB, and one between the ELB and our server.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Vijay Panchal |
Solution 2 | sashoalm |