AWS elasticloadbalancing documentation change
Summary
Updated mutual TLS documentation to clarify load balancer behavior, added passthrough mode details, removed X.509v1 note, and simplified configuration steps.
Security assessment
The changes clarify security-related mutual TLS authentication mechanisms (passthrough vs verify modes) but do not address a specific vulnerability. The documentation explains security features (certificate validation, revocation checks) but no evidence of patching a security issue.
Diff
diff --git a/elasticloadbalancing/latest/application/mutual-authentication.md b/elasticloadbalancing/latest/application/mutual-authentication.md index 55dd153fb..8fbe5e420 100644 --- a//elasticloadbalancing/latest/application/mutual-authentication.md +++ b//elasticloadbalancing/latest/application/mutual-authentication.md @@ -9 +9 @@ Before you beginHTTP headersAdvertise CA subject nameConnection logs -Mutual TLS authentication is a variation of transport layer security (TLS). Traditional TLS establishes secure communications between a server and client, where the server needs to provide its identity to its clients. With mutual TLS, a load balancer negotiates mutual authentication between the client and the server while negotiating TLS. When you use mutual TLS with Application Load Balancer, you simplify authentication management and reduce the load on your applications. +Mutual TLS authentication is a variation of transport layer security (TLS). Traditional TLS establishes secure communications between a server and client, where the server needs to provide its identity to its clients. With mutual TLS, a load balancer negotiates mutual authentication between the client and the server while negotiating TLS. When you use mutual TLS with your Application Load Balancer, you simplify authentication management and reduce the load on your applications. @@ -11 +11 @@ Mutual TLS authentication is a variation of transport layer security (TLS). Trad -By using mutual TLS with Application Load Balancer, your load balancer can manage client authentication to help ensure that only trusted clients communicate with your backend applications. When you use this feature, Application Load Balancer authenticates clients with certificates from third-party certificate authority (CA) or by using the AWS Private Certificate Authority (PCA), optionally, with revocation checks. Application Load Balancer passes on client certificate information to the backend, which your applications can use for authorization. By using mutual TLS in Application Load Balancer, you can get built-in, scalable, managed authentication for certificate-based entities, that uses established libraries. +By using mutual TLS, your load balancer can manage client authentication to help ensure that only trusted clients communicate with your backend applications. When you use this feature, the load balancer authenticates clients using certificates from third-party certificate authority (CA) or by using the AWS Private Certificate Authority (PCA), optionally, with revocation checks. The load balancer passes the client certificate information to the backend using HTTP headers, which your applications can use for authorization. @@ -13 +13 @@ By using mutual TLS with Application Load Balancer, your load balancer can manag -Mutual TLS for Application Load Balancers provides the following two options for validating your X.509v3 client certificates: +Mutual TLS for Application Load Balancers provides the following options for validating your X.509v3 client certificates: @@ -15 +15 @@ Mutual TLS for Application Load Balancers provides the following two options for -**Note:** X.509v1 client certificates are not supported. + * **Mutual TLS passthrough:** The load balancer sends the entire client certificate chain to the target, without verifying it. Targets should verify the client certificate chain. Then, using the client certificate chain, you can implement the load balancer authentication and target authorization logic in your application. @@ -17 +17 @@ Mutual TLS for Application Load Balancers provides the following two options for - * **Mutual TLS passthrough:** When you use mutual TLS passthrough mode, Application Load Balancer sends the whole client certificate chain to the target using HTTP headers. Then, by using the client certificate chain, you can implement corresponding load balancer authentication and target authorization logic in your application. + * **Mutual TLS verify:** The load balancer performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections. @@ -19 +18,0 @@ Mutual TLS for Application Load Balancers provides the following two options for - * **Mutual TLS verify:** When you use mutual TLS verify mode, Application Load Balancer performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections. @@ -23,13 +22 @@ Mutual TLS for Application Load Balancers provides the following two options for - -To get started with mutual TLS in Application Load Balancer using passthrough, you only need to configure the listener to accept any certificates from clients. To use mutual TLS with verification, you must do the following: - - * Create a new trust store resource. - - * Upload your certificate authority (CA) bundle and, optionally, revocation lists. - - * Attach the trust store to the listener that is configured to verify client certificates. - - - - -For step-by-step procedures to configure mutual TLS verify mode with your Application Load Balancer, see [Configuring mutual TLS on an Application Load Balancer](./configuring-mtls-with-elb.html). +To use mutual TLS passthrough, you must configure the listener to accept the certificates from clients. To use mutual TLS with verification, see [Configuring mutual TLS on an Application Load Balancer](./configuring-mtls-with-elb.html).