How to Fix TLS 1.3 Connection Issues with AWS Load Balancer and ACM

How to Fix TLS 1.3 Connection Issues with AWS Load Balancer and ACM

by
Spread the love

Introduction

Recently, while configuring an HTTPS setup for my web application hosted on AWS using a Load Balancer with an ACM certificate, I encountered an issue where TLS 1.3 connections were failing. The error was cryptic and pointed towards a problem with the SSL handshake. This blog will walk you through the issue, the investigation, and the final resolution step-by-step so you can avoid the same problem.

Problem Statement

After configuring HTTPS using an Application Load Balancer (ALB) and attaching an ACM certificate, I attempted to connect via TLS 1.3 but received the following error:

OpenSSL/1.1.1t: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Another similar error from libcurl logs:

libcurl error: 35 (SSL connect error)
OpenSSL/1.1.1t: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

This error generally occurs when there is a mismatch or misconfiguration in the SSL/TLS protocol versions supported by the client and the server.

Root Cause

After investigating the issue, I discovered that:

  • The ACM certificate was correctly attached to the ALB.
  • The HTTPS listener was working fine for TLS 1.2.
  • The problem was with TLS 1.3 support, which was not enabled because of the outdated security policy on the ALB.

By default, ALB listeners may use an older security policy like ELBSecurityPolicy-2016-08 that doesn’t support TLS 1.3.

Protocols by policy

The following table describes the protocols that each TLS security policy supports.

Solution: Enable TLS 1.3 Support on ALB

Here is the step-by-step guide to fix the issue:

Step 1: Navigate to Load Balancers

  1. Go to your AWS Console.
  2. Open EC2 Dashboard.
  3. Click on Load Balancers from the left panel.
See also  How to Resolve the "Unprotected Private Key File" Error in SSH on Windows

Step 2: Select the ALB

  1. Choose your Application Load Balancer (ALB).
  2. Click on the Listeners tab.
  3. Select the HTTPS (port 443) listener.

Step 3: Edit the Security Policy

  1. Click on View/edit rules.
  2. In the SSL Policy dropdown, select:
    • ELBSecurityPolicy-TLS13-1-2-2021-06 (or a newer TLS 1.3 supported policy)
  3. Save the changes.

Step 4: Verify TLS 1.3 Support

Use OpenSSL or curl to verify:

openssl s_client -connect your-domain.com:443 -tls1_3

Or:

curl --tls-max 1.3 -Iv https://your-domain.com

You should now see a successful connection using TLS 1.3.

Additional Notes

  • TLS 1.3 offers better security and performance.
  • Not all security policies support TLS 1.3 — use one with TLS13 in the name.
  • You don’t need to modify your EC2 instance or web server (e.g., Apache, Nginx) for this if SSL termination happens at ALB.

Conclusion

By updating the security policy of your AWS ALB to one that supports TLS 1.3, you can enable modern and secure connections to your application. If you see the wrong version number error in your TLS logs, it likely points to a misconfigured SSL policy.

Hope this helps others avoid the debugging hours I spent! If you found this helpful, feel free to share it with your network.

Related posts:

  1. Copy S3 bucket objects across AWS accounts
  2. AWS S3 Sync – How To Synchronize Data In AWS S3
  3. ERROR: unable to select packages
  4. Common EC2 connection errors and how to resolve them

Leave a Comment

PHP Code Snippets Powered By : XYZScripts.com