Sidebar

How do I read a SSL log to troubleshoot/verify the ssl negotiation is working and what is failing.

0 votes
8.1K views
asked Oct 9, 2015 by brandon-w-8204 (30,600 points)
I have enabled the ssl debug/logging statements using kb https://www.qvera.com/kb/index.php/20/configure-qie-produce-additional-logging-for-connections?show=20#q20. But now that I have the output how do I read it and verify what is wrong.

1 Answer

+1 vote
1. FIrst step is for the Client to start the handshake. This starts with the ClientHello
Handshake Starts Here    --->   *** ClientHello, TLSv1                                
2. The server then responds with ServerHello. This is where the server defines its configuration and presents its cerficate for the client to verify.
Server With Cipher Suite --->   *** ServerHello, TLSv1
                                ** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Cert Chain From Server   --->   *** Certificate chain
   Can be more than 1.          chain [0] = [
                                [
3. Next the Client should trust or accept the certificate:
Client Accepted Certificate ->  Found trusted certificate:
                                [
                                [
                                  Version: V3
                                  Subject: CN=Qvera Training Cert, O=Qvera, OU=LLC, L=Kaysville, ST=Utah, C=United States
                                  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
4. If the connection is client authenticated the server would request the clients certficate
Server Requests Client Cert ->  *** CertificateRequest
                                Cert Types: RSA, DSS, ECDSA
                                Cert Authorities:
Client Must Send This    --->   <CN=training.qvera.com, O=Qvera, OU=Training, L=Kaysville, ST=UT, C=USA>
            Or This      --->   <CN=Qvera Training Cert, O=Qvera, OU=LLC, L=Kaysville, ST=Utah, C=United States>
Server Will Wait For Response > *** ServerHelloDone
Client Found Match (1st Cert) > matching alias: training.qvera.com
Client Sends Cert Back   --->   *** Certificate chain
                                chain [0] = [
                                [
The CertificateRequest Before     Version: V3
the ServerHelloDone indicates     Subject: CN=training.qvera.com, O=Qvera, OU=Training, L=Kaysville, ST=UT, C=USA
 
                                  
5. Now that both sides trust each other we now exchange a session key to use to encrypt all other data. This is is sent by the client and encrypted with the server public certificate so that only the server can decrypt it with the private key.
 
Client Sends Session Key --->   *** ECDHClientKeyExchange
                                ECDH Public value:  { 4, 242, 2, 214, 195, 142, 35, 247, 139, 152, 105, 141, 136, 55, 46, 15, 81, 1, 129, 34, 173, 109, 131, 174, 90, 221, 145, 139, 148, 88, 191, 215, 62, 247, 211, 33, 0, 246, 131, 228, 0, 243, 190, 31, 181, 22, 210, 109, 127, 48, 121, 199, 50, 195, 102, 101, 217, 69, 56, 179, 6, 201, 252, 14, 212 }
                                Thread-20, WRITE: TLSv1 Handshake, length = 974
                                SESSION KEYGEN:
                                
Server Accepts Session Key -->  *** CertificateVerify
                                Thread-20, WRITE: TLSv1 Handshake, length = 262
                                Thread-20, WRITE: TLSv1 Change Cipher Spec, length = 1
                                *** Finished
                                verify_data:  { 164, 40, 105, 20, 127, 37, 47, 162, 66, 76, 243, 117 }
                                ***
                                Thread-20, WRITE: TLSv1 Handshake, length = 48
                                Thread-20, READ: TLSv1 Change Cipher Spec, length = 1
                                Thread-20, READ: TLSv1 Handshake, length = 48
 
6. Connection complete you will see the following in the log.
All Done Secure Connection -->  *** Finished
 
answered Dec 17, 2015 by brandon-w-8204 (30,600 points)
...