I guess it’s probably the same answer, it’s working as intended and even
with passthrough the load balancer certificate does not match the backend
server so it still throws the warning which makes sense.

On February 17, 2017 at 7:20:14 PM, Sam Crowell (crowes...@gmail.com) wrote:

Thanks for the response Daniel.  What is the best way to handle SSL traffic
through a load balancer to maintain original client certificates?  Just use
mode TCP and passthrough?  Is there a way to do that without turning off
hostname verifier at the client level?

Thanks,
Sam

On February 17, 2017 at 7:13:23 PM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:

Sam,

This not working the way you would like is the corner stone and one of the
key features of TLS. It is designed to ensure there is nothing in the
middle between the client and the server. If you need to inspect the
traffic, by definition you cannot without the clients trusting your
certificate (or its issuing authority as a whole).
To be precise, you can't pose as the real server, because for that you
would not need the public certificate of the server (which you can easily
get), but its private key. By definition, you won't be able to get a hold
of it, as the real server alone has it.

All inspecting TLS proxies communicate with their own private
key/certificate pair with the client. There is no way around that.

Regards,
Daniel


> On 18 Feb 2017, at 00:47, Sam Crowell <crowes...@gmail.com> wrote:
>
> Is there a way to do SSL termination at the load balancer, but then send
the original certificate to the backend server? I have seen plenty of notes
and configs for SSL passthrough and SSL termination with re-encryption by
the load balancer certificate.
>
> Even with passthrough, I still have to disable hostname verifier because
the backend server doesn't match the load balancer certificate.
>
> I know there has to be a way to do this, I just can't find it in the
documentation or on the internet.
>
> Thanks for the help and keep up the great work.
>
> Thanks,
> Paul
>

Reply via email to