In last blog, I introduced how SSL/TLS connections are established and how to verify the whole handshake process in network packet file. However capturing network packet is not always supported or possible for certain scenarios. Here in this blog, I will introduce 5 handy tools that can test different phases of SSL/TLS connection so that you cannarrow down the cause of SSL/TLS connection issue and locate root cause.
curl
Suitable scenarios: TLS version mismatch, no supported CipherSuite, network connection between client and server.
curl is an open source tool available on Windows 10, Linux and Unix OS. It is a tool designed to transfer data and supports many protocols. HTTPS is one of them. It can also used to test TLS connection.
Examples:
1. Test connection with a given TLS version.
curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.0
2. Test with a given CipherSuite and TLS version
curl -v https://pingrds.redis.cache.windows.net:6380 --ciphers ECDHE-RSA-NULL-SHA --tlsv1.2
Success connection example:
curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.2* Rebuilt URL to: https://pingrds.redis.cache.windows.net:6380/* Trying 13.75.94.86...* TCP_NODELAY set* Connected to pingrds.redis.cache.windows.net (13.75.94.86) port 6380 (#0)* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 1/3)* schannel: checking server certificate revocation* schannel: sending initial handshake data: sending 202 bytes...* schannel: sent initial handshake data: sent 202 bytes* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: failed to receive handshake, need more data* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: encrypted data got 4096* schannel: encrypted data buffer: offset 4096 length 4096* schannel: received incomplete message, need more data* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: encrypted data got 1024* schannel: encrypted data buffer: offset 5120 length 5120* schannel: received incomplete message, need more data* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: encrypted data got 496* schannel: encrypted data buffer: offset 5616 length 6144* schannel: sending next handshake data: sending 3791 bytes...* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: encrypted data got 51* schannel: encrypted data buffer: offset 51 length 6144* schannel: SSL/TLS handshake complete* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 3/3)* schannel: stored credential handle in session cacheFail connection example due to either TLS version mismatch. Not supported ciphersuite returns similar error.
curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.0* Rebuilt URL to: https://pingrds.redis.cache.windows.net:6380/* Trying 13.75.94.86...* TCP_NODELAY set* Connected to pingrds.redis.cache.windows.net (13.75.94.86) port 6380 (#0)* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 1/3)* schannel: checking server certificate revocation* schannel: sending initial handshake data: sending 144 bytes...* schannel: sent initial handshake data: sent 144 bytes* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: failed to receive handshake, need more data* schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3)* schannel: failed to receive handshake, SSL/TLS connection failed* Closing connection 0* schannel: shutting down SSL/TLS connection with pingrds.redis.cache.windows.net port 6380* Send failure: Connection was reset* schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)* schannel: clear security context handlecurl: (35) schannel: failed to receive handshake, SSL/TLS connection failedFailed due to network connectivity issue.
curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.2* Rebuilt URL to: https://pingrds.redis.cache.windows.net:6380/* Trying 13.75.94.86...* TCP_NODELAY set* connect to 13.75.94.86 port 6380 failed: Timed out* Failed to connect to pingrds.redis.cache.windows.net port 6380: Timed out* Closing connection 0curl: (7) Failed to connect to pingrds.redis.cache.windows.net port 6380: Timed outopenssl
Suitable scenarios: TLS version mismatch, no supported CipherSuite, network connection between client and server.
openSSL is an open source tool and its s_client acts as SSL client to test SSL connection with a remote server. This is helpful to isolate the cause of client.
- On majority Linux machines, OpenSSL is there already. On Windows, you can download it from this link: https://chocolatey.org/packages/openssl
- Run Open SSL
- Windows: open the installation directory, click /bin/, and then double-click openssl.exe.
- Mac and Linux: run openssl from a terminal.
- Issue s_client -help to find all options.
Command examples:
1. Test a particular TLS version:
s_client -host sdcstest.blob.core.windows.net -port 443 -tls1_1
2. Disable one TLS version
s_client -host sdcstest.blob.core.windows.net -port 443 -no_tls1_2
3. Test with a given ciphersuite:
s_client -host sdcstest.blob.core.windows.net -port 443 -cipher ECDHE-RSA-AES256-GCM-SHA384
4. Verify if remote server’s certificates are trusted.
Success connection example:
CONNECTED(000001A0)depth=1 C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02verify error:num=20:unable to get local issuer certificateverify return:1depth=0 CN = *.blob.core.windows.netverify return:1---Certificate chain 0 s:CN = *.blob.core.windows.net i:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02 1 s:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02 i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root---Server certificate-----BEGIN CERTIFICATE-----MIINtDCCC5ygAwIBAgITfwAI6NfesKGuQGWPYQAAAAjo1zANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9upK8hqxL0zc4NQLRTq9RNpdPwnNmGn5SZ4Nu5ktUgWokR97THzgs6a/ErHH2tigLFjwkgB8UuV/hhu3vEa0jxstSBgbjQPgSNexAl7XwgawaucIF+wkRpPW2w0VTcDWtT1bGtFCpewAo=-----END CERTIFICATE-----subject=CN = *.blob.core.windows.netissuer=C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02---No client certificate CA names sentPeer signing digest: MD5-SHA1Peer signature type: RSAServer Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 5399 bytes and written 293 bytesVerification error: unable to get local issuer certificate---New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHAServer public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: B60B0000F51FFB7C9DDB4E58CD20DC20987C13CFD31386BE435D612CF5EFDBF9 Session-ID-ctx: Master-Key: DA402F6E301B4E4981B7820CAF6E0AF3C633290E85E2998BFAB081788488D3807ABD3FF41FF48DA55DB56281C024C4F4 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1615557502 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yesFail connection example due to TLS mismatch:
OpenSSL> s_client -host sdcstest.blob.core.windows.net -port 443 -tls1_3CONNECTED(0000017C)write:errno=10054---no peer certificate available---No client certificate CA names sent---SSL handshake has read 0 bytes and written 254 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---error in s_clientFail connection example due to network connectivity:
OpenSSL> s_client -host sdcstest.blob.core.windows.net -port 778030688:error:0200274C:system library:connect:reason(1868):crypto/bio/b_sock2.c:110:30688:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:connect:errno=0error in s_clientOnline tool
https://www.ssllabs.com/ssltest/
Suitable scenarios: TLS version mismatch, no supported CipherSuite.
This is a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. It can list all supported TLS versions and ciphers of a server. And auto detect if server works fine in different types of client, such as web browsers, mobile devices, etc.
Please note, this only works with public access website. For internal access website will need to run above curl or openssl from an internal environment. And it only supports domain name and does not work with IP address.
Web Browser:
Suitable scenarios: Verify if server certificate chain is trusted on client.
Web Browser can be used to verify if remote server’s certificate is trusted or not locally:
- Access the url from web browser.
- It does not matter if the page can be load or not. Before loading anything from the remote sever, web browser tried to establish SSL connection.
- If you see below error returned, it means certificate is not trusted on current machine.
Certutil
Suitable scenarios: Verify if server certificate on client, verify client certificate on server.
Certutil is a tool available on windows. It is useful to verify a given certificate. For example verify server certificate from client end. If mutual authentication is implemented, this tool can also be used to verify client certificate on server.
The command auto verifies trusted certificate chain and certificate revocation list (CRL).
Command:
certutil -verify -urlfetch <client cert file path>
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#-verify
Next blog, I will introduce solutions for common causes of SSL/TLS connection issues.
