Contact Free trial Login

Certificate Validation in Dedicated Load Balancers

If at least one CA certificate is provided for the SSL endpoint, the load balancer passes the client certificate data to the API using the HTTP headers below:

X-SSL-Client-Verify

This header returns either SUCCESS, FAILED, or NONE. The client is verified only after the header returns SUCCESS.
The header returns NONE when the certificate is not present and FAILED when other validation problems occur.

X-SSL-Client-DN

Contains the full distinguished name of the client certificate.

X-SSL-Issuer

Contains the full distinguished name of the issuing certificate.

X-SSL-Client-Serial

Contains the serial number used by the CA to identify the client.

Adding Revocation Lists

The CloudHub load balancer can optionally verify client requests against certificate revocation lists (CRL). All CRL files must be concatenated into a single Privacy-Enhanced Mail (PEM) encoded file for upload. The order of the CRL is not important.

Use the ´--crl´ option in your load-balancer create command to add a revocation list when you create the load balancer.

If your load balancer already exists, you can use the REST API to update it.
Add a revocationList element to send a PATCH request to the /organizations/{orgid}/vpcs/{vpcId}/loadbalancers/{lbId} endpoint:

[
  {
    "op": "replace",
    "path": "/sslEndpoints/0/revocationList",
    "value": "-----BEGIN X509 CRL-----\nMIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJBVTETMBEGA1UE\nCBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\nMRAwDgYDVQQDEwdvcmcuY29tFw0xNjAzMTUwOTI2MThaFw0xODAzMTUwOTI2MTha\nMBwwGgIJAIBvvO4dJHjhFw0xNjAzMTUwODUwMTZaoA4wDDAKBgNVHRQEAwIBBjAN\nBgkqhkiG9w0BAQUFAAOBgQCCAbGXW+Hnzmd1bXqWsFXfogOsJScoxkJOhhmjui3I\nhTUyO5plGHUBLjBnDkypM+iLfn0W4wPcNj7FZdz4Hu/WLntxwrTtR5YOcfIhEGcq\nwvJq/1+WKUPC6eqGwx0iKOOBIWsaf5CNOOUQMo6RaeTeu8Uba2EGFk1Vu/SoZYAK\nsw==\n-----END X509 CRL-----\n"
  }
]

You should use the CloudHub REST API to programmatically update your revocation lists.
To get the necessary vpcId, and loadbalancerId values from the CLI, you can use the vpc JSON describe and load-balancer JSON describe commands, respectively.

Send a PATCH request to your load balancer’s endpoint to update any other property.

Certificate Ciphers

Each one of the recommended ciphers suites listed has a good balance between compatibility and security for your SSL endpoint. They all offer forward secrecy, except RC4-SHA, which is recommended only to support Internet Explorer 8.

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
ECDHE-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA

CloudHub’s dedicated load balancer supports TLS v1.1 and TLS v1.2. You can configure TLS v1.0., but TLS v1.0 is no longer accepted by PCI compliance due to its significant vulnerabilities.