Contact Free trial Login

Certificate Validation in Dedicated Load Balancers

If at least one CA certificate is provided for the SSL endpoint, the load balancer passes the client certificate data to the API using these HTTP headers:

  • X-SSL-Client-Verify

    Returns one of:

    • SUCCESS

      The client is verified only after SUCCESS.

    • NONE when the certificate is not present

    • FAILED when other validation problems occur

  • X-SSL-Client-DN

    Contains the full distinguished name of the client certificate

  • X-SSL-Issuer

    Contains the full distinguished name of the issuing certificate

  • X-SSL-Client-Serial

    Contains the serial number used by the CA to identify the client

Add Revocation Lists

The CloudHub load balancer can optionally verify client requests against certificate revocation lists (CRL). All CRL files must be concatenated into a single, unencrypted PEM-encoded file for upload. The order of items in the CRL is not important.

To add a revocation list when you create the load balancer, use the --crl option with the load-balancer create command.

If your load balancer already exists, you can use the CloudHub REST API to add or update your CRLs. To do so, send a PATCH request to the /organizations/{orgid}/vpcs/{vpcId}/loadbalancers/{lbId} endpoint and include a revocationList element:

[
  {
    "op": "replace",
    "path": "/sslEndpoints/0/revocationList",
    "value": "-----BEGIN X509 CRL-----\nMIIBTTCBtwIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJBVTETMBEGA1UE\nCBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\nMRAwDgYDVQQDEwdvcmcuY29tFw0xNjAzMTUwOTI2MThaFw0xODAzMTUwOTI2MTha\nMBwwGgIJAIBvvO4dJHjhFw0xNjAzMTUwODUwMTZaoA4wDDAKBgNVHRQEAwIBBjAN\nBgkqhkiG9w0BAQUFAAOBgQCCAbGXW+Hnzmd1bXqWsFXfogOsJScoxkJOhhmjui3I\nhTUyO5plGHUBLjBnDkypM+iLfn0W4wPcNj7FZdz4Hu/WLntxwrTtR5YOcfIhEGcq\nwvJq/1+WKUPC6eqGwx0iKOOBIWsaf5CNOOUQMo6RaeTeu8Uba2EGFk1Vu/SoZYAK\nsw==\n-----END X509 CRL-----\n"
  }
]

To get the necessary vpcId and loadbalancerId values from the CLI, use the vpc JSON describe and load-balancer JSON describe commands.

To update any other property, send a PATCH request to your load balancer endpoint.

Certificate Cipher Suites

The following recommended ciphers suites provide a good balance between compatibility and security for your SSL endpoint.

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA

Most cipher suites offer forward secrecy. RC4-SHA (supports Internet Explorer 8) does not. For this reason, MuleSoft and Microsoft do not recommend using it.

The CloudHub dedicated load balancer supports TLSv1.1 and TLSv1.2. Although you can configure TLS v1.0, PCI compliance doesn’t accept this protocol because of its significant vulnerabilities.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.