About
This article shows you how to see a SSL connection (handhsake) to debug any problem with configuration for:
Steps
Firewall
Check your firewall. Your port should be open
- Does the port is open/listening locally
nmap -Pn -p T:443 localhost
- Remote
nmap -Pn -p T:443 remote-hostname
Example of output where we can see that the port is open:
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-13 08:18 W. Europe Standard Time
Nmap scan report for remote-hostname (192.98.05.126)
Host is up (0.096s latency).
PORT STATE SERVICE
443/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
Start a server
Optionally, start the openssl test ssl server 1) if you want to see the server side.
- Tcp Only
openssl s_server \
-accept *:4433 `# accept connection from all hostname on the port 4433` \
-cert server-signed-certificate.pem \
-key server-private-key.pem \
-Verify 10 `# 10 is the depth chain and the client must supply a certificate or an error occurs ` \
-CAfile trusted-certificates-for-client-authentication.pem \
-state \
-debug
- Web Server: start a test ssl server with the www option 2) if you want to see the server side.
openssl s_server \
-accept *:4433 `# accept connection from all hostname to the port 4433` \
-cert server-signed-certificate.pem \
-key server-private-key.pem \
-Verify 10 `# 10 is the depth chain and the client must supply a certificate or an error occurs ` \
-www \
-CAfile trusted-certificates-for-client-authentication.pem \
-state \
-debug
Example of output:
verify depth is 10, must return a certificate
Using default temp DH parameters
ACCEPT
Then example of output from the server with only the state flag when a connection is made
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write change cipher spec
SSL_accept:TLSv1.3 write encrypted extensions
SSL_accept:SSLv3/TLS write certificate request
SSL_accept:SSLv3/TLS write certificate
SSL_accept:TLSv1.3 write server certificate verify
SSL_accept:SSLv3/TLS write finished
SSL_accept:TLSv1.3 early data
SSL_accept:TLSv1.3 early data
depth=1 C = NL, O = Organisation, CN = Name
verify return:1
depth=1 C = NL, O = Organisation, CN = Name
verify return:1
SSL_accept:SSLv3/TLS read client certificate
SSL_accept:SSLv3/TLS read certificate verify
SSL_accept:SSLv3/TLS read finished
SSL_accept:SSLv3/TLS write session ticket
SSL_accept:SSLv3/TLS write session ticket
Create a connection
OpenSsl
- Local first To avoid having any firewall problem test locally.
openssl s_client -connect localhost:4433 -state
- Then Connect to the server via a client 3)
openssl s_client -connect host:4433 \
-cert client-signed-certificate.pem \
-key client-private-key.pem \
-state -debug
Curl
- Or for only Https With curl
curl -v \
--cert client-signed-certificate.pem \
--key client-private-key.pem \
https://example.com
Browser
Output via the browser to https://hostname:4433/index.html if the openssl server was started with the web option www
Support
Certificate client not send
- Check that you are talking to your server directly and not via a proxy such as cloudflare