Disabling MTLS Expiry Checks effectively gives all issued client certificates an eternal validity. This infinitely expands the impact risk for client certificates and undermines client certificate management processes
Mutual TLS (mTLS) is an additional configuration layer built on top of standard server-side TLS communication. In a typical TLS exchange, the client initiates a request to the server, and the server responds by performing a TLS handshake. This handshake, based on Public Key Infrastructure (PKI), allows the server to accept the inbound request, negotiate a shared key (based on the encryption protocols supported by both parties), and establish encrypted communication. This ensures that no plaintext data is transmitted, providing secure communication between the client and server.
Mutual TLS extends this process by requiring the client to authenticate itself using the same PKI-based mechanisms as the server. In standard TLS, encryption not only secures the communication but also serves as a means of server identification and authentication. For example, when accessing amazonaws.com over HTTPS, the server’s certificate confirms the server’s identity via providing a trusted certificate specifically naming the domain amazonaws.com, ensuring that the connection is with the domain amazonaws.com and not an impersonator. This explicity prevents the trusted certificate issued for amazonaws.com being used for google.com or other domains.
Mutual TLS applies the same identification and authentication process to the client. The client, whether a browser or an application, presents a certificate that uniquely identifies that client, customer or user. Through cryptographic validation of the certificate’s signature, the server can verify that the client is indeed who they claim to be. This bidirectional authentication enhances security by ensuring that both parties are verified before encrypted communication begins.
While TLS protocols are intricate, the core idea behind mutual TLS is to introduce an extra layer of client authentication, which is not typical in standard client-server interactions. For applications that rely on AWS Elastic Load Balancers to provide mutual TLS connections, client certificate expiration checks can be disabled allowing for any and all client certificates to be valid no matter how old they are
Disabling client certificate expiration checks essentially grants indefinite access to client certificates. This introduces a security risk, as client certificates and key pairs could be lost, stolen, or compromised and without expiration these compromised certificates can be exploited indefinitely.
Compounding this is that as part of mutual TLS adoption, organizations should implement processes for issuing, rotating, and revoking client certificates. This ensures that certificates are periodically renewed, mitigating long-term risks associated with lost or compromised assets. Permanent, never-expiring client certificates undermine these processes as once issued a certificate does not need to be renewed or replaced removing the checkpoint and process governance for managing client certificates.
Determine which client certificates are currently outstanding and assess how many of these would be affected if the configuration on your Elastic Load Balancer (ELB) were updated to enforce mutual TLS certificate expiration. If clients are using expired certificates, this change will disrupt their access and will require you to reissue valid certificates. Therefore you’ll need a process for issuing certificates to responds to clients that lose access.
Ideally all clients would possess and utilise up-to-date and valid certificates ahead of any updates. If this is the case then changing the configuration to check expiration date will have no negative effects on active clients.
This rollout requires collaboration between you and your clients, as changes can negatively affect your clients and result in downtime that can affect your Service Level Agreements. Conduct a thorough investigation and seek guidance based on the current state of your service and your clients’ environments. This will help ensure the best possible outcome for all parties involved.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
