FAQ: AltaVault replication: comparing SSL-passthrough and SSL-

terminating proxies

Question
FAQ: AltaVault replication: comparing SSL-passthrough and SSL-terminating

Applies To
NetApp Cloud Backup (AltaVault)

Answer
A proxy server is a device that behaves as an intermediary between a client and server and provides means to monitor
and control the connections, perform object caching, client authentication, etc. Many companies block all connection
attempts to public Internet destinations and use a proxy to allow only approved connections.

AltaVaults must be used in conjunction with a cloud storage provider and be able to connect to it. Most cloud provider
APIs run over HTTP and are SSL/TLS encrypted which make them suitable for use with proxies; however, there are two
ways the proxy can process the SSL/TLS negotiation. An SSL/TLS connection establishes a secure channel between
endpoints that begins with a handshake and encryption negotiation after which all communication is encrypted and
unreadable to any other device. A proxy can be configured to allow the AltaVault and cloud provider to establish this
SSL/TLS connection or it can be what is called an SSL-terminating proxy that acts as the server to the client and client
to the server.

SSL-passthrough proxy with HTTP CONNECT

AltaVault proxy Cloud provider
|---- tcp connection 1 ----| |---- tcp connection 2 ----|
|--------------------- SSL Session ---------------------|

SSL-terminating proxy
AltaVault proxy Cloud provider
|---- tcp connection 1 ----| |---- tcp connection 2 ----|
|----- SSL Session 1 ------| |----- SSL Session 2 ------|

The SSL negotiation begins with the authentication of the server's certificate. Here, the client inspects the certificate
chain to see if it ends with a certificate authority that it knows and explicitly trusts. All public cloud providers use

https://netapp-test.mindtouch.us/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager…
Updated: Thu, 02 Jan 2020 05:22:38 GMT
Powered by
1
certificates that have been signed by well known Certificate Authorities (Verisign, DigiCert, GeoTrust, Entrust, etc). This
allows the client to know that the server is who they claim to be.

If a proxy is terminating the SSL session it needs to insert itself in the SSL connection. To be a man-in-the-middle which
SSL is specifically designed to prevent. During the SSL negotiation between the proxy and AVA the proxy will provide a
server certificate claiming to be the cloud provider however it won't be signed by a trusted public CA. Instead, it will
either be a self signed certificate with no CA or the signing CA will be a private corporate certificate and, unless the
AltaVault has been configured to explicitly trust this CA, it will be rejected and a message logged stating the server
certificate could not be verified. In 4.2 and later versions, the users can add the CA certificate used to sign the cloud
provider's certificate in the WebUI under Configure > Cloud Settings.

The rational behind using an SSL-terminating proxy is for the ability of a corporation's security group to monitor the
unencrypted connection, provide caching, deduplication and http acceleration. None of these apply to AltaVault
replication traffic since the objects uploaded by the AltaVault to the cloud provider are themselves encrypted and cannot
be read even after stripping away the SSL layer. The processing overhead associated with terminating SSL sessions
can be significant and experience shows that some proxy servers respond by dropping connections or rejecting
connection attempts when they become resource constrained, degrading replication throughput. For these reasons
NetApp recommends configuring proxies for SSL-passthrough instead of SSL-terminating.

Additional Information
Include any additional information/related links here if applicable.

Internal Notes
The details of the server certificate can be determined using the shell utility openssl.

1. Drop to shell
2. openssl s_client -connect hostname:port </dev/null

The /dev/null redirection just causes a successful connection to immediately end otherwise the user needs to enter
ctrl+c.

Example:
# openssl s_client -connect s3.amazonaws.com:443 </dev/null
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Baltimore CA-2 G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = s3.amazonaws.com

https://netapp-test.mindtouch.us/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager…
Updated: Thu, 02 Jan 2020 05:22:38 GMT
Powered by
2
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4zCCBMugAwIBAgIQC3sM+UOesFQvnGSoHukqcjANBgkqhkiG9w0BAQsFADBk
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSMwIQYDVQQDExpEaWdpQ2VydCBCYWx0aW1vcmUgQ0Et
MiBHMjAeFw0xNjA3MjkwMDAwMDBaFw0xNzExMjkxMjAwMDBaMGkxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgwFgYD
VQQKEw9BbWF6b24uY29tIEluYy4xGTAXBgNVBAMTEHMzLmFtYXpvbmF3cy5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Gl+ndRZiQn214xkH7fnR
rBppLZYnpZ6a8+/i+CiWwr+4k9RPAL+6a9E+4eBb3CksM66Fg9VHZpRPd2Z+QV4f
aSYWY5ugbV2v0CUYp1NkftwDrdFL1aT13MZGTR86p+gjiggudroQ3si5RNpvQAie
mTsRcxVygq268XfSmX0qiMszW8Cr04KL8Q45Yz6aJ7jC2yRDl/ISfJantl47li/Z
VeLB7Iy4/zgf5Ze5q7n7n8JPLs71YqvGalb13FFFpWNVrI5srgV49yx9myHVss1n
IrYdWgcj95CQITykdrahXs4dh3bpGj0zEpcNgsSR8WNJc+wdfFtPsSUYYSfrRURR
AgMBAAGjggKKMIIChjAfBgNVHSMEGDAWgBTAErIodGhGZ+lwJXQaAEVbBn1cRDAd
BgNVHQ4EFgQUzBxtKHVa5lcI1vcaEv66F7ANKb0wgbkGA1UdEQSBsTCBroIQczMu
YW1hem9uYXdzLmNvbYISKi5zMy5hbWF6b25hd3MuY29tgiYqLnMzLmR1YWxzdGFj
ay51cy1lYXN0LTEuYW1hem9uYXdzLmNvbYIkczMuZHVhbHN0YWNrLnVzLWVhc3Qt
MS5hbWF6b25hd3MuY29tghwqLnMzLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tghpz
My51cy1lYXN0LTEuYW1hem9uYXdzLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGBBgNVHR8EejB4MDqgOKA2hjRodHRw
Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRCYWx0aW1vcmVDQS0yRzIuY3Js
MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRCYWx0aW1v
cmVDQS0yRzIuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHkGCCsG
AQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
MEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
cnRCYWx0aW1vcmVDQS0yRzIuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL
BQADggEBADMpcSMbgxgf0CGzzO5byj01qQ3zKlEuEMASLj1LAJQXwJDrsLsyujg/
jhjx2i94K2A2wnZvzDcuzkUIHaU4TQnkNpfH16aIoW4JXhL980X60kCXjk2sYtWU
r5NTc7aHN+JKwkPuiN3FKEDT+eKfRwkSGWy6FxB6pE2mWyMUC1XV+Gn64CtJThiX
6y3Xqe9rmYVLkLu+Eli51UR1Lbs+HGYDwRvR7TGHs8yC8wLFmKxI+h8yJRw+Xxnz
7uBxqM6c/Rhod102WZTNnZXnncvxsFw2iVcrK1aLqHxunlPvqA7Koj4PI+H3lFZ6

https://netapp-test.mindtouch.us/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager…
Updated: Thu, 02 Jan 2020 05:22:38 GMT
Powered by
3
6A2k0LiJws+jJpwj9rydUE/DWFlmnFY=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Baltimore CA-2 G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3146 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7A8B9F8BE3FE5D7D1555AF8C51943253B0EEE4AB81B5B9376D52C95CCE33CBA7
Session-ID-ctx:
Master-Key:
C19E592500F50800378BF8FF57C3F6106A2DF8797C812A4D36D9B0B33B07CCC606C0CB3EA12BC7AAFEDCA80F821AF383
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1506353844
Timeout : 300 (sec)
Verify return code: 0 (ok)

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information
or recommendations provided in this publication or with respect to any results that may be obtained by the use of the
information or observance of any recommendations provided herein. The information in this document is distributed AS
IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's
responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational
environment. This document and the information contained herein may be used solely in connection with the NetApp
products discussed in this document.

https://netapp-test.mindtouch.us/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager…
Updated: Thu, 02 Jan 2020 05:22:38 GMT
Powered by
4
https://netapp-test.mindtouch.us/Advice_and_Troubleshooting/Data_Infrastructure_Management/Active_IQ_Unified_Manager…
Updated: Thu, 02 Jan 2020 05:22:38 GMT
Powered by
5