0

We have an Apache web server with load balancer and we are planning to upgrade our TLS version from 1.1 to 1.2 due to chrome compatibility issues.

Currently the load balancer has TLSv1.1 and TLSv1.2 configured and the web server has TLSv1.1 configured.

If we remove TLSv1.1 from the load balancer configuration and leave the web server with TLSv1.1, will this cause any issues? Should my web server's TLS version match the load balancer's TLS version?

  • As Jeroen's answer says, can you provide more details? (maybe you need to do some reading and learn some more about how your environment works). Normally only one entity within the server LAN is "doing" (or "terminating") TLS. Normally the loadbalancer terminates TLS and forwards non-encrypted HTTP. Sometimes the loadbalancer forwards encrypted traffic and the web server terminates the TLS. In this case the LB is more limited because, for example it can't see the `Host:` header. Sometimes the LB terminates and then opens a separate TLS channel to the webserver. How does your setup work? – Mike Ounsworth Dec 08 '20 at 03:01

1 Answers1

1

This depends on how the load balancer is configured.

In my experience load balancers are often configured to do TLS offloading. This means that TLS is stripped at the load balancer and the communication from the load balancer to the web server is over HTTP (and not over HTTPS). In this scenario, you web server is not even running accepting HTTP traffic over TLS.

If the above scenario does not apply, all TLS versions should be similar. This means that both should be configured to support TLSv1.2 or better.

Jeroen
  • 111
  • 3
  • I.e. in the second case there's no TLS *offloading*. TLS is just terminated to do more precise load balancing, error handling etc. The connection to the Web server is then established through HTTPS again to prevent wiretapping. – ximaera Nov 30 '20 at 06:47
  • There are not 2, but 3 options: 1) HTTPS->LB->HTTP->WS, 2) HTTPS->LB->HTTPS->WS, 3) TCP->LB->TCP->WS. The TLS versions should only match in the third case. – ximaera Nov 30 '20 at 06:40
  • Also if the internal communication is over HTTPS, TLSv1.2 or better should be used anyway.. – Jeroen Nov 30 '20 at 06:07
  • I know, that's why I discussed both options. – Jeroen Nov 30 '20 at 06:04
  • "the communication from the load balancer to the web server is over HTTP". Not necessarily. It might go through HTTPS but through a separate connection. – ximaera Nov 30 '20 at 06:03