DEV Community

Cover image for SSL Passthrough Explained: What It Is and How It Works with TLS
Eden Allen
Eden Allen

Posted on

SSL Passthrough Explained: What It Is and How It Works with TLS

How Does SSL Passthrough Work?

Client wants to initiate an SSL/TLS connection

It starts when a client, for instance a web browser, establishes SSL/TLS connection with a server. In this process of a handshake, the client and the server are exchanging the cryptographic keys plus setting the encrypted session.

The client initiates communication by sending a "ClientHello" message to the server, wherein the communication version and other security parameters are listed by the client.

It involves a handshake process in which both parties determine how they will encode/decode information before transmitting it.

Number of 'hits' to Load Balancer or Proxy

Traffic from a client application is encrypted and then forwarded to an intermediate device like a load balancer or a proxy. This device is usually placed at the entrance of this model between the client and the backend servers.

In this stage, the traffic remains encrypted and the intermediary device does not move to decrypt it. The load balancer or proxy server is designed to distribute the load involved in handling packets and keep the backend servers efficiently available.

Load Balancer or Proxy then forwards the encrypted traffic.

In this case, rather than decoding the traffic, a load balancer or proxy server simply relays the encrypted traffic to the suitable backend server.

This forwarding depends on elements such as the load on the server, the server health status, and the routing policies set in the load balancer apparatus.

The intermediary device only forwards the proposal and its associated encrypted data through without decrypting, processing or inspecting them, thus preserving the integrity of the data.

The Backend Server carries out the decryption.

The backend server that is in possession with SSL/TLS certificate as well as the corresponding private key receives the encrypted traffic.

Following the communication of the SSL/TLS handshake messages, the server utilizes its private key to generate the symmetric key in order to create a secure session with the client.

After the session has been established, information encrypted by the backend server can be decrypted so as to attend to the client's request and develop a response.

The server makes sure that all the data is safe during the processing stage of the data passed through the system.

Backend Server Encrypts Response

On receiving the request, the backend server decrypts it and processes the request, then encrypts it with SSL/TLS before sending. After the handshake steps, the server employs the keys that were agreed on to encrypt the response data.

This helps to guarantee that the response data is protected before being sent back through the network. The encryption process also ensures confidentiality as well as integrity of the data as it is sent back to the client.

Encrypted Response Forwarded by Load Balancer or Proxy

The response from the backend server is usually encrypted, and the load balancer or proxy server returns this to the client. Similarly to the previous example, the intermediary device does not decrypt the traffic and just passes it onto the client.

The load balancer or the proxy server continues to act as a middleman without interfering with the communication or timing of the encrypted response reaching the client.

Client Receives Encrypted Response

The client gets the encrypted response and using the previously developed SSL/TLS session decrypts it. The established cryptographic keys from the handshaking process are by the client used to decrypt the response data.

This leads to the ending of the security communication cycle making sure that the information exchanged is encrypted from the sender to the receiver hence enhancing the security of the information exchanged.

Benefits of SSL Passthrough

Improved Certificate Management

With this SSL Passthrough, SSL/TLS certificates are configured only on backend web servers.

This centralization is beneficial when it comes to managing certificates since it is only necessary to update the certificates on the backend rather than near intermediate devices.

This can save a lot of time and prevent fuss with certificate renewal, updates and security policies compliance.

Better Security

SSL Passthrough helps to sustain the encrypted state from the client to the backend server helping to increase security.

This indicates that the data stays protected from the time it is collected, mapped, encoded, and transmitted to the data recipient without compromise from intermediaries.

In this way, organizations can ensure the decoding of data only at the backend server, which stores the SSL/TLS certificates, thus leaving little room for security cracks.

Drawbacks

Limited Visibility for Intermediary Devices

When running SSL Passthrough, the intermediary devices like the load balancer or proxy do not decrypt data. Therefore, these devices have small learning capability of the content of the information being exchanged.

Such an absence of visibility can challenge the possibility of implementing techniques like deep packet inspection, application security schemes, or traffic analysis and monitoring.

This can affect the general security level or even hamper the identification and prevention of risks.

Backend Configuration Complexity

The disadvantage of SSL Passthrough is that it requires the backend servers configuration which was a simple process when the proxies were configured.

Because the SSL/TLS certificates are hosted by backend servers, system administrators will need to review the configurations of each server that will process encrypted loads.

This can also prove cumbersome especially in large organizations that have many numbers of servers in their network since each server needs to be differentiated and maintained, a factor that incurs an administrative cost.

Increased Loan on Backend Servers

SSL Passthrough merely promotes the redirection of computational responsibility from servers to backends. As this saves the amount of traffic to other devices, it can essentially add a load of overhead to the backend servers especially if it is frequently accessed.

Cryptography algorithms must be processed in backend servers and require adequate computing resources which is another pro that adds to hardware and operational expenses.

Source

Top comments (0)