Investigating SSL communication issues

Scenario:

Environment:

• You have a SSL/HTTPS based web site, say: https://gunnalag.com/ 
• It’s hosted on two web servers one running IIS6 on (W2K3) and another running IIS7 (W2K8R2) in a data center and you have two such data centers. 
• The web site runs Java Servlets and is hosted in Tomcat with IIS fronting the requests
• Each web server has three network cards with three different Static IP-Addresses
• These web servers are located in DMZ behind the Load Balancer and Firewall
• The Load Balancer distributes the traffic between two of the web servers on private IP addresses
• Firewall is configured to run www.gunnalag.com host with a public IP-Address
• Firewall NATs the single public IP-Address to two web servers private IP-Addresses at each data center
• IIS is bindings are as below: 
  • Http  IP1 www.gunnalag.com
  • Http IP1 www.dc1.gunnalag.com
  • Https *(for all IPs) www.gunnalag.com
  •  

Status:

In above given environment, https on IIS is binded for all IPs on the web server but still https communication was failing.  This is because on firewall, the traffic on public IP is Nated to only one IP on the web server. 

You can fix this either by making https binding to use the allowed IP alone or by expanding the public IP Nating to all IPs of the web servers.

Troubleshooting Tools:

 

You can verify whether SSL communication is enabled and working on your web site.  In below example 74.125.227.115 is a public address for www.google.com and below command checks the status of SSL communication for the same website.

C:>openssl s_client -connect 74.125.227.115:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
—
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
—
No client certificate CA names sent
—
SSL handshake has read 1772 bytes and written 307 bytes
—
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 0292A32D8D447D5CA21D46E9D18E10EDD39D3FCCCE37F62B3545404D5912446C
    Session-ID-ctx:
    Master-Key: CC21F76693E690FE0ECADC70B4EDAA97725BF51677A2607B9E79BB4314494628471593A3DA24767E94CD072D161C3A85
    Key-Arg   : None
    Start Time: 1353586509
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
—
DONE
SSL3 alert write:warning:close notify

C:>openssl s_client -connect www.google.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
—
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIDgDCCAumgAwIBAgIKeCgvIgAAAABsyzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMjEwMjQxNzM0MzhaFw0xMzA2MDcxOTQzMjda
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvBFZ9lSJWqB/
9QD7tmUKhRDEvgi97y/6SgTj9oaToaNs5eCgBUnkjXyMXfzG13mHtyuBEe8HndaD
VthiN+wjww44nawUkVnnOSJ1ZNAltizoNMDBQGS7F30ucy+i5q+OkaLXx4RDZrtH
LDQ/vSug9ZcBoIJzyj0CeGvuZJq9HxUCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU1K0nGjPxNwWxYaAyE5xz+Xff
OjYwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0a
WMuY29tL0dvb2dsZUludGVy
bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
A4GBALLWdnVoB1gjaA0McG4NtwLpZDPOvmgfZVWF8KSyJRIUalkPDjTInzqg0o7Y
MXxP3CB1vXXmGhBbjVCiyv1Bi6nyolJl9vmON2t1XqmSB/OvCd04wXNccU8Nn1lv
GdMZ2yo5EuCJsxt7scj6pUsbHlPecxAcbFSD2Lc3CfPEVoRa
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
—
No client certificate CA names sent
—
SSL handshake has read 1752 bytes and written 307 bytes
—
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: E8A0699A076FCF13AE58ADBE8100785FF9EB563EC024668CCAEDAF1113392E08
    Session-ID-ctx:
    Master-Key: AC6C7A6A52124CDF58B51CC20A6342FE0AB4E3C254AC3F34688D8ECA1A1DEE99C42D52EDCC66FE93A06F0822427BFC1B
    Key-Arg   : None
    Start Time: 1353586735
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
—
DONE
SSL3 alert write:warning:close notify

 

In case, if SSL communication was not enabled or not configured properly to run a web site, you’ll get an error message like below:

C:>openssl s_client -connect 66.239.205.228:443 -state

CONNECTED(00000003)

SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:error in SSLv2/v3 read server hello A

write:errno=104

<

p>C:>