Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI
Today we’re launching support for multiple TLS/SSL certificates on Application Load Balancers (ALB) using Server Name Indication (SNI). You can now host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer. In order to use SNI, all you need to do is bind multiple certificates to the same secure listener on your load balancer. ALB will automatically choose the optimal TLS certificate for each client. These new features are provided at no additional charge.
If you’re looking for a TL;DR on how to use this new feature just click here. If you’re like me and you’re a little rusty on the specifics of Transport Layer Security (TLS) then keep reading.
TLS? SSL? SNI?
People tend to use the terms SSL and TLS interchangeably even though the two are technically different. SSL technically refers to a predecessor of the TLS protocol. To keep things simple I’ll be using the term TLS for the rest of this post.
TLS is a protocol for securely transmitting data like passwords, cookies, and credit card numbers. It enables privacy, authentication, and integrity of the data being transmitted. TLS uses certificate based authentication where certificates are like ID cards for your websites. You trust the person that signed and issued the certificate, the certificate authority (CA), so you trust that the data in the certificate is correct. When a browser connects to your TLS-enabled ALB, ALB presents a certificate that contains your site’s public key, which has been cryptographically signed by a CA. This way the client can be sure it’s getting the ‘real you’ and that it’s safe to use your site’s public key to establish a secure connection.
With SNI support we’re making it easy to use more than one certificate with the same ALB. The most common reason you might want to use multiple certificates is to handle different domains with the same load balancer. It’s always been possible to use wildcard and subject-alternate-name (SAN) certificates with ALB, but these come with limitations. Wildcard certificates only work for related subdomains that match a simple pattern and while SAN certificates can support many different domains, the same certificate authority has to authenticate each one. That means you have reauthenticate and reprovision your certificate everytime you add a new domain.
One of our most frequent requests on forums, reddit, and in my e-mail inbox has been to use the Server Name Indication (SNI) extension of TLS to choose a certificate for a client. Since TLS operates at the transport layer, below HTTP, it doesn’t see the hostname requested by a client. SNI works by having the client tell the server “This is the domain I expect to get a certificate for” when it first connects. The server can then choose the correct certificate to respond to the client. All modern web browsers and a large majority of other clients support SNI. In fact, today we see SNI supported by over 99.5% of clients connecting to CloudFront.
Smart Certificate Selection on ALB
ALB’s smart certificate selection goes beyond SNI. In addition to containing a list of valid domain names, certificates also describe the type of key exchange and cryptography that the server supports, as well as the signature algorithm (SHA2, SHA1, MD5) used to sign the certificate. To establish a TLS connection, a client starts a TLS handshake by sending a “ClientHello” message that outlines the capabilities of the client: the protocol versions, extensions, cipher suites, and compression methods. Based on what an individual client supports, ALB’s smart selection algorithm chooses a certificate for the connection and sends it to the client. ALB supports both the classic RSA algorithm and the newer, hipper, and faster Elliptic-curve based ECDSA algorithm. ECDSA support among clients isn’t as prevalent as SNI, but it is supported by all modern web browsers. Since it’s faster and requires less CPU, it can be particularly useful for ultra-low latency applications and for conserving the amount of battery used by mobile applications. Since ALB can see what each client supports from the TLS handshake, you can upload both RSA and ECDSA certificates for the same domains and ALB will automatically choose the best one for each client.
Using SNI with ALB
I’ll use a few example websites like VimIsBetterThanEmacs.com and VimIsTheBest.com. I’ve purchased and hosted these domains on Amazon Route 53, and provisioned two separate certificates for them in AWS Certificate Manager (ACM). If I want to securely serve both of these sites through a single ALB, I can quickly add both certificates in the console.
First, I’ll select my load balancer in the console, go to the listeners tab, and select “view/edit certificates”.
Next, I’ll use the “+” button in the top left corner to select some certificates then I’ll click the “Add” button.
There are no more steps. If you’re not really a GUI kind of person you’ll be pleased to know that it’s also simple to add new certificates via the AWS Command Line Interface (CLI) (or SDKs).
aws elbv2 add-listener-certificates --listener-arn <listener-arn> --certificates CertificateArn=<cert-arn>
Things to know
- ALB Access Logs now include the client’s requested hostname and the certificate ARN used. If the “hostname” field is empty (represented by a “-“) the client did not use the SNI extension in their request.
- You can use any of your certificates in ACM or IAM.
- You can bind multiple certificates for the same domain(s) to a secure listener. Your ALB will choose the optimal certificate based on multiple factors including the capabilities of the client.
- If the client does not support SNI your ALB will use the default certificate (the one you specified when you created the listener).
- There are three new ELB API calls: AddListenerCertificates, RemoveListenerCertificates, and DescribeListenerCertificates.
- You can bind up to 25 certificates per load balancer (not counting the default certificate).
- These new features are supported by AWS CloudFormation at launch.
You can see an example of these new features in action with a set of websites created by my colleague Jon Zobrist: https://www.exampleloadbalancer.com/.
Overall, I will personally use this feature and I’m sure a ton of AWS users will benefit from it as well. I want to thank the Elastic Load Balancing team for all their hard work in getting this into the hands of our users.
相關推薦
Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI
Today we’re launching support for multiple TLS/SSL certificates on Application Load Balancers (ALB) using Server Name Indication (SNI). You can no
Support for TLS 1.0 and 1.1 in Office 365
為了確保企業使用者的資料安全性,提供最好的加密方式,微軟於2018年10月31日,將Office 365所有的線上服務遷移到TLS 1.2,這意味著微軟不會處理和修復使用TLS1.0和1.1連線到Office 365 客戶端的新問題。 對IT Admin和企業客戶的影響: 作為IT Admin,您需
Multipath TCP and load balancers
Load balancers play a very important role in today’s Internet. Most Internet services are provided by servers that reside behind one or several layers of l
Troubleshoot Unhealthy Application Load Balancer Health Checks in ECS
The command should return "200 OK" (or, if you're using an Application Load Balancer and have updated your Matcher setting, your preferred resp
Configure, Update, and Verify Health Checks for Classic Load Balancers
Elastic Load Balancing health checks automatically connect to backend instances to make sure they're reachable by your load balancer. You can u
Application Load Balancer Marked Unhealthy When Using “Evaluate Target Health”
Query your Application Load Balancer's domain name using your preferred method, such as dig or nslookup. Note the output from your query.
Create an Application Load Balancer and Auto Register ECS Tasks
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So
How do I install SSL/TLS certificates on Amazon CloudFront?
If you use HTTPS connections between viewers and CloudFront, CloudFront assigns a domain name to your distribution, for example, d1
Trace an Application Load Balancer Request using X
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So
Use SSL/TLS Certificate with HTTPS load balancer
You can configure load balancers to use the SSL/TLS protocol for encrypted connections between the load balancer and clients that initiate HTTP
New – AWS Application Load Balancer
We launched Elastic Load Balancing (ELB) for AWS in the spring of 2009 (see New Features for Amazon EC2: Elastic Load Balancing, Auto Scaling, and
Troubleshoot HTTP 503 Errors While Using Classic Load Balancers
To see the number of healthy back-end instances behind your load balancer, check the HealthyHostCount and UnHealthyHostCount metrics in CloudWa
Troubleshoot HTTP 504 Errors While Using Classic Load Balancers
An HTTP 504 error is a HTTP status code that indicates a gateway or proxy has timed out. When troubleshooting, investigate the following:
使用 Application Load Balancer 內建的身份驗證功能簡化登入流程
今天,我很高興宣佈 Application Load Balancer (ALB) 提供內建的身份驗證功能。ALB 現在可以在使用者訪問應用程式時安全對其進行身份驗證,開發人員不必再編寫支援身份驗證的程式碼,也不必承擔從後端進行身份驗證的責任了。我們的團隊構建了一個非常精彩的演示示例,您可以
Stanford AI application reads chest X-rays multiple times faster than radiologists
A new artificial intelligence algorithm can reliably screen chest X-rays for more than a dozen types of disease, and it does so in less time than it takes
ASP.NET Multiple File Upload With Drag & Drop and Progress Bar Using HTML5
asp ogre net res upload gre .aspx project tar https://www.codeproject.com/script/Articles/ArticleVersion.aspx?aid=460142&av=669590ASP
識別簡單的答題卡(Bubble sheet multiple choice scanner and test grader using OMR, Python and OpenCV——jsxyhelu重新整編)
該部落格轉自www.pyimagesearch.com,進行了相關修改補充。 Over the past few months I’ve gotten quite the number of requests landing in my inbox to build a bubble sheet/
Corti heart attack detection AI can now deploy on the edge with Scandinavian design
Work is underway to deploy Corti, an AI system that detects heart attacks during emergency phone calls, and it could be coming to some of the biggest citie
Ask HN: Who needs support from a stranger with a project?
Are you working on a project and need support with coding, design, documentation, etc.Please describe what you want the stranger will bring to the project,
Manage multiple websites / clients with our Multisite Dashboard
Multi-site allows you to very quickly switch between ButterCMS instances. This is great if you have multiple websites. For instance if you're