| TLS connection common causes and troubleshooting guide | 您所在的位置:网站首页 › conneclion › TLS connection common causes and troubleshooting guide |
TLS connection common causes and troubleshooting guide
|
In last blog, I introduced how SSL/TLS connections are established and how to verify the whole handshake process in network packet file. However capturing network packet is not always supported or possible for certain scenarios. Here in this blog, I will introduce 5 handy tools that can test different phases of SSL/TLS connection so that you can narrow down the cause of SSL/TLS connection issue and locate root cause.
curl
Suitable scenarios: TLS version mismatch, no supported CipherSuite, network connection between client and server.
curl is an open source tool available on Windows 10, Linux and Unix OS. It is a tool designed to transfer data and supports many protocols. HTTPS is one of them. It can also used to test TLS connection.
Examples: 1. Test connection with a given TLS version. curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.0 2. Test with a given CipherSuite and TLS version curl -v https://pingrds.redis.cache.windows.net:6380 --ciphers ECDHE-RSA-NULL-SHA --tlsv1.2
Success connection example: curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.2 * Rebuilt URL to: https://pingrds.redis.cache.windows.net:6380/ * Trying 13.75.94.86... * TCP_NODELAY set * Connected to pingrds.redis.cache.windows.net (13.75.94.86) port 6380 (#0) * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 1/3) * schannel: checking server certificate revocation * schannel: sending initial handshake data: sending 202 bytes... * schannel: sent initial handshake data: sent 202 bytes * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: failed to receive handshake, need more data * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: encrypted data got 4096 * schannel: encrypted data buffer: offset 4096 length 4096 * schannel: received incomplete message, need more data * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: encrypted data got 1024 * schannel: encrypted data buffer: offset 5120 length 5120 * schannel: received incomplete message, need more data * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: encrypted data got 496 * schannel: encrypted data buffer: offset 5616 length 6144 * schannel: sending next handshake data: sending 3791 bytes... * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: encrypted data got 51 * schannel: encrypted data buffer: offset 51 length 6144 * schannel: SSL/TLS handshake complete * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 3/3) * schannel: stored credential handle in session cache
Fail connection example due to either TLS version mismatch. Not supported ciphersuite returns similar error. curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.0 * Rebuilt URL to: https://pingrds.redis.cache.windows.net:6380/ * Trying 13.75.94.86... * TCP_NODELAY set * Connected to pingrds.redis.cache.windows.net (13.75.94.86) port 6380 (#0) * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 1/3) * schannel: checking server certificate revocation * schannel: sending initial handshake data: sending 144 bytes... * schannel: sent initial handshake data: sent 144 bytes * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: failed to receive handshake, need more data * schannel: SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 (step 2/3) * schannel: failed to receive handshake, SSL/TLS connection failed * Closing connection 0 * schannel: shutting down SSL/TLS connection with pingrds.redis.cache.windows.net port 6380 * Send failure: Connection was reset * schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1) * schannel: clear security context handle curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
Failed due to network connectivity issue. curl -v https://pingrds.redis.cache.windows.net:6380 --tlsv1.2 * Rebuilt URL to: https://pingrds.redis.cache.windows.net:6380/ * Trying 13.75.94.86... * TCP_NODELAY set * connect to 13.75.94.86 port 6380 failed: Timed out * Failed to connect to pingrds.redis.cache.windows.net port 6380: Timed out * Closing connection 0 curl: (7) Failed to connect to pingrds.redis.cache.windows.net port 6380: Timed outopenssl
Suitable scenarios: TLS version mismatch, no supported CipherSuite, network connection between client and server.
openSSL is an open source tool and its s_client acts as SSL client to test SSL connection with a remote server. This is helpful to isolate the cause of client. On majority Linux machines, OpenSSL is there already. On Windows, you can download it from this link: https://chocolatey.org/packages/openssl Run Open SSL Windows: open the installation directory, click /bin/, and then double-click openssl.exe. Mac and Linux: run openssl from a terminal. Issue s_client -help to find all options.
Command examples: 1. Test a particular TLS version: s_client -host sdcstest.blob.core.windows.net -port 443 -tls1_1 2. Disable one TLS version s_client -host sdcstest.blob.core.windows.net -port 443 -no_tls1_2 3. Test with a given ciphersuite: s_client -host sdcstest.blob.core.windows.net -port 443 -cipher ECDHE-RSA-AES256-GCM-SHA384 4. Verify if remote server’s certificates are trusted.
Success connection example: CONNECTED(000001A0) depth=1 C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.blob.core.windows.net verify return:1 --- Certificate chain 0 s:CN = *.blob.core.windows.net i:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02 1 s:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02 i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root --- Server certificate -----BEGIN CERTIFICATE----- MIINtDCCC5ygAwIBAgITfwAI6NfesKGuQGWPYQAAAAjo1zANBgkqhkiG9w0BAQsF ADBPMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u pK8hqxL0zc4NQLRTq9RNpdPwnNmGn5SZ4Nu5ktUgWokR97THzgs6a/ErHH2tigLF jwkgB8UuV/hhu3vEa0jxstSBgbjQPgSNexAl7XwgawaucIF+wkRpPW2w0VTcDWtT 1bGtFCpewAo= -----END CERTIFICATE----- subject=CN = *.blob.core.windows.net issuer=C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02 --- No client certificate CA names sent Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5399 bytes and written 293 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: B60B0000F51FFB7C9DDB4E58CD20DC20987C13CFD31386BE435D612CF5EFDBF9 Session-ID-ctx: Master-Key: DA402F6E301B4E4981B7820CAF6E0AF3C633290E85E2998BFAB081788488D3807ABD3FF41FF48DA55DB56281C024C4F4 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1615557502 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes
Fail connection example due to TLS mismatch: OpenSSL> s_client -host sdcstest.blob.core.windows.net -port 443 -tls1_3 CONNECTED(0000017C) write:errno=10054 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 254 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- error in s_client
Fail connection example due to network connectivity: OpenSSL> s_client -host sdcstest.blob.core.windows.net -port 7780 30688:error:0200274C:system library:connect:reason(1868):crypto/bio/b_sock2.c:110: 30688:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111: connect:errno=0 error in s_client
Online tool https://www.ssllabs.com/ssltest/
Suitable scenarios: TLS version mismatch, no supported CipherSuite.
This is a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. It can list all supported TLS versions and ciphers of a server. And auto detect if server works fine in different types of client, such as web browsers, mobile devices, etc. Please note, this only works with public access website. For internal access website will need to run above curl or openssl from an internal environment. And it only supports domain name and does not work with IP address.
Web Browser:
Suitable scenarios: Verify if server certificate chain is trusted on client.
Web Browser can be used to verify if remote server’s certificate is trusted or not locally: Access the url from web browser. It does not matter if the page can be load or not. Before loading anything from the remote sever, web browser tried to establish SSL connection. If you see below error returned, it means certificate is not trusted on current machine.
Certutil
Suitable scenarios: Verify if server certificate on client, verify client certificate on server.
Certutil is a tool available on windows. It is useful to verify a given certificate. For example verify server certificate from client end. If mutual authentication is implemented, this tool can also be used to verify client certificate on server. The command auto verifies trusted certificate chain and certificate revocation list (CRL).
Command: certutil -verify -urlfetch https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#-verify
Next blog, I will introduce solutions for common causes of SSL/TLS connection issues. |
【本文地址】