Investigating SSL communication issues

Scenario:

Environment:

  • You have a SSL/HTTPS based web site, say: https://gunnalag.com/ 
  • It’s hosted on two web servers one running IIS6 on (W2K3) and another running IIS7 (W2K8R2) in a data center and you have two such data centers. 
  • The web site runs Java Servlets and is hosted in Tomcat with IIS fronting the requests
  • Each web server has three network cards with three different Static IP-Addresses
  • These web servers are located in DMZ behind the Load Balancer and Firewall
  • The Load Balancer distributes the traffic between two of the web servers on private IP addresses
  • Firewall is configured to run www.gunnalag.com host with a public IP-Address
  • Firewall NATs the single public IP-Address to two web servers private IP-Addresses at each data center
  • IIS is bindings are as below: 
    Status:
    In above given environment, https on IIS is binded for all IPs on the web server but still https communication was failing.  This is because on firewall, the traffic on public IP is Nated to only one IP on the web server. 
    You can fix this either by making https binding to use the allowed IP alone or by expanding the public IP Nating to all IPs of the web servers.

    Troubleshooting Tools:

     

    You can verify whether SSL communication is enabled and working on your web site.  In below example 74.125.227.115 is a public address for www.google.com and below command checks the status of SSL communication for the same website.

    C:>openssl s_client -connect 74.125.227.115:443 -state
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:SSLv3 read server hello A
    depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    SSL_connect:SSLv3 read server certificate A
    SSL_connect:SSLv3 read server done A
    SSL_connect:SSLv3 write client key exchange A
    SSL_connect:SSLv3 write change cipher spec A
    SSL_connect:SSLv3 write finished A
    SSL_connect:SSLv3 flush data
    SSL_connect:SSLv3 read finished A

    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
       i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
       i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

    Server certificate
    —–BEGIN CERTIFICATE—–
    MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
    MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
    THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
    MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
    MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
    FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
    gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
    wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
    d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
    BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
    LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
    BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
    Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
    ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
    AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
    ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
    IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
    —–END CERTIFICATE—–
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

    No client certificate CA names sent

    SSL handshake has read 1772 bytes and written 307 bytes

    New, TLSv1/SSLv3, Cipher is RC4-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : RC4-SHA
        Session-ID: 0292A32D8D447D5CA21D46E9D18E10EDD39D3FCCCE37F62B3545404D5912446C
        Session-ID-ctx:
        Master-Key: CC21F76693E690FE0ECADC70B4EDAA97725BF51677A2607B9E79BB4314494628471593A3DA24767E94CD072D161C3A85
        Key-Arg   : None
        Start Time: 1353586509
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)

    DONE
    SSL3 alert write:warning:close notify

    C:>openssl s_client -connect www.google.com:443 -state
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:SSLv3 read server hello A
    depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    SSL_connect:SSLv3 read server certificate A
    SSL_connect:SSLv3 read server done A
    SSL_connect:SSLv3 write client key exchange A
    SSL_connect:SSLv3 write change cipher spec A
    SSL_connect:SSLv3 write finished A
    SSL_connect:SSLv3 flush data
    SSL_connect:SSLv3 read finished A

    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
       i:/C=US/O=Google Inc/CN=Google Internet Authority
    1 s:/C=US/O=Google Inc/CN=Google Internet Authority
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    Server certificate
    —–BEGIN CERTIFICATE—–
    MIIDgDCCAumgAwIBAgIKeCgvIgAAAABsyzANBgkqhkiG9w0BAQUFADBGMQswCQYD
    VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
    dGVybmV0IEF1dGhvcml0eTAeFw0xMjEwMjQxNzM0MzhaFw0xMzA2MDcxOTQzMjda
    MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
    b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
    Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvBFZ9lSJWqB/
    9QD7tmUKhRDEvgi97y/6SgTj9oaToaNs5eCgBUnkjXyMXfzG13mHtyuBEe8HndaD
    VthiN+wjww44nawUkVnnOSJ1ZNAltizoNMDBQGS7F30ucy+i5q+OkaLXx4RDZrtH
    LDQ/vSug9ZcBoIJzyj0CeGvuZJq9HxUCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
    CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU1K0nGjPxNwWxYaAyE5xz+Xff
    OjYwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
    oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
    cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
    MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0a
    WMuY29tL0dvb2dsZUludGVy
    bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
    Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
    A4GBALLWdnVoB1gjaA0McG4NtwLpZDPOvmgfZVWF8KSyJRIUalkPDjTInzqg0o7Y
    MXxP3CB1vXXmGhBbjVCiyv1Bi6nyolJl9vmON2t1XqmSB/OvCd04wXNccU8Nn1lv
    GdMZ2yo5EuCJsxt7scj6pUsbHlPecxAcbFSD2Lc3CfPEVoRa
    —–END CERTIFICATE—–
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority

    No client certificate CA names sent

    SSL handshake has read 1752 bytes and written 307 bytes

    New, TLSv1/SSLv3, Cipher is RC4-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : RC4-SHA
        Session-ID: E8A0699A076FCF13AE58ADBE8100785FF9EB563EC024668CCAEDAF1113392E08
        Session-ID-ctx:
        Master-Key: AC6C7A6A52124CDF58B51CC20A6342FE0AB4E3C254AC3F34688D8ECA1A1DEE99C42D52EDCC66FE93A06F0822427BFC1B
        Key-Arg   : None
        Start Time: 1353586735
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)

    DONE
    SSL3 alert write:warning:close notify

     

    In case, if SSL communication was not enabled or not configured properly to run a web site, you’ll get an error message like below:

    C:>openssl s_client -connect 66.239.205.228:443 -state

    CONNECTED(00000003)

    SSL_connect:before/connect initialization

    SSL_connect:SSLv2/v3 write client hello A

    SSL_connect:error in SSLv2/v3 read server hello A

    write:errno=104

    <

    p>C:>

    Leave a Reply

    Your email address will not be published. Required fields are marked *