Do Classic Load Balancers, Application Load Balancers, and Network Load Balancers support SSL/TLS session resumption?

3 minute read
0

I want to know if Classic Load Balancers, Application Load Balancers, and Network Load Balancers support Secure Sockets Layer/Transport Layer Security (SSL/TLS) session resumption.

Resolution

All types of load balancers support SSL/TLS session resumption. However, the connection methods that they support varies.

SSL/TLS connection methods

There are two types of TLS handshakes: full and abbreviated. The full handshake is performed only once. After the handshake, the client establishes an SSL/TLS session with the server. On subsequent connections, the abbreviated handshake is used to resume the previously negotiated session more quickly.

There are two ways to establish or resume a TLS connection:

  • SSL session IDs – This method is based on both the client and server keeping session security parameters for a period of time after a fully negotiated connection ends. A server that intends to use session resumption assigns a unique identifier for the session, called the session ID. The server then returns the session ID to the client in the ServerHello message. To resume an earlier session, the client must submit the appropriate session ID in its ClientHello message. If the server finds the corresponding session in its cache and accepts the request, then the server returns the samesession identifier. The server then continues with the abbreviated SSL handshake. Otherwise, the server issues a new session identifier and switches to a full handshake.
  • SSL session tickets – This method doesn't require server-side storage. The server gathers all session data, encrypts it, and then returns it to the client in the form of a ticket. On subsequent connections, the client submits the ticket back to the server. Then, the server checks the ticket integrity, decrypts the contents, and uses the information in it to resume the session. If the server or client doesn't support this extension, then fall back to the session identifier mechanism built into SSL.

Supported SSL/TLS connection methods for each load balancer type

Classic Load Balancers

Classic Load Balancers support session ID-based SSL/TLS session resumption but don't support session ticket-based SSL session resumption. SSL session caching is supported at the node level. For example, suppose that a client connects to node B using the SSL session ID received from node A. When this happens, the SSL handshake reverts to a full handshake. After that, a new SSL session ID is generated by node B.

Application Load Balancers

Application Load Balancers support both session ID and session ticket-based SSL session resumption. Both session IDs and session tickets are supported at the node level. For example, suppose that a client connects to node B using the SSL session ID or session ticket received from node A. When this happens, the SSL handshake reverts to a full handshake. After that, a new SSL session ID and session ticket are generated by node B.

Network Load Balancers

Network Load Balancers support only session tickets for session resumption. Resumption using session tickets is supported at the Regional level. Clients can resume TLS sessions with a Network Load Balancer using any of its IP addresses.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago