How to debug / test a TLS / SSL connection ?

About

This article shows you how to see a SSL connection (handhsake) to debug any problem with configuration for:

Steps

Firewall

Check your firewall. Your port should be open

  • Does the port is open/listening locally
nmap -Pn -p T:443 localhost
  • Remote
nmap -Pn -p T:443 remote-hostname

Example of output where we can see that the port is open:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-13 08:18 W. Europe Standard Time
Nmap scan report for remote-hostname (192.98.05.126)
Host is up (0.096s latency).

PORT      STATE SERVICE
443/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

Start a server

Optionally, start the openssl test ssl server 1) if you want to see the server side.

  • Tcp Only
openssl s_server \
    -accept *:4433 `# accept connection from all hostname on the port 4433` \
    -cert server-signed-certificate.pem \
    -key server-private-key.pem \
    -Verify 10  `# 10 is the depth chain and the client must supply a certificate or an error occurs ` \
    -CAfile trusted-certificates-for-client-authentication.pem \
    -state \
    -debug
  • Web Server: start a test ssl server with the www option 2) if you want to see the server side.
openssl s_server \
    -accept *:4433 `# accept connection from all hostname to the port 4433` \
    -cert server-signed-certificate.pem \
    -key server-private-key.pem \
    -Verify 10  `# 10 is the depth chain and the client must supply a certificate or an error occurs ` \
    -www \
    -CAfile trusted-certificates-for-client-authentication.pem \
    -state \
    -debug

Example of output:

verify depth is 10, must return a certificate
Using default temp DH parameters
ACCEPT

Then example of output from the server with only the state flag when a connection is made

SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write change cipher spec
SSL_accept:TLSv1.3 write encrypted extensions
SSL_accept:SSLv3/TLS write certificate request
SSL_accept:SSLv3/TLS write certificate
SSL_accept:TLSv1.3 write server certificate verify
SSL_accept:SSLv3/TLS write finished
SSL_accept:TLSv1.3 early data
SSL_accept:TLSv1.3 early data
depth=1 C = NL, O = Organisation, CN = Name
verify return:1
depth=1 C = NL, O = Organisation, CN = Name
verify return:1
SSL_accept:SSLv3/TLS read client certificate
SSL_accept:SSLv3/TLS read certificate verify
SSL_accept:SSLv3/TLS read finished
SSL_accept:SSLv3/TLS write session ticket
SSL_accept:SSLv3/TLS write session ticket

Create a connection

OpenSsl

  • Local first To avoid having any firewall problem test locally.
openssl s_client -connect localhost:4433 -state
  • Then Connect to the server via a client 3)
openssl s_client -connect host:4433 \
   -cert client-signed-certificate.pem \
   -key client-private-key.pem  \
   -state -debug

Curl

  • Or for only Https With curl
curl -v \
   --cert client-signed-certificate.pem \
   --key client-private-key.pem \
   https://example.com

Browser

Output via the browser to https://hostname:4433/index.html if the openssl server was started with the web option www

Ssl Test Server Www

Support

Certificate client not send

  • Check that you are talking to your server directly and not via a proxy such as cloudflare





Discover More
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Public Key Crypto Pair Key Creation
What is a client certificate authentication ? (SSL/TLS Web)

Client certificate authentication is a certification based authentication mechanism where the client identifies itself to the server by sending a signed certificate. The server just needs to verify the...



Share this page:
Follow us:
Task Runner