How do I read a SSL log to troubleshoot/verify the ssl negotiation is working and what is failing.

Question

I have enabled the ssl debug/logging statements using kb https://www.qvera.com/kb/index.php/20/configure-qie-produce-additional-logging-for-connections?show=20#q20. But now that I have the output how do I read it and verify what is wrong.

Answer 1

1. FIrst step is for the Client to start the handshake. This starts with the ClientHello

Handshake Starts Here    --->   *** ClientHello, TLSv1                                

2. The server then responds with ServerHello. This is where the server defines its configuration and presents its cerficate for the client to verify.

Server With Cipher Suite --->   *** ServerHello, TLSv1

                                ** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Cert Chain From Server   --->   *** Certificate chain

   Can be more than 1.          chain [0] = [

                                [

3. Next the Client should trust or accept the certificate:

Client Accepted Certificate ->  Found trusted certificate:

                                [

                                [

                                  Version: V3

                                  Subject: CN=Qvera Training Cert, O=Qvera, OU=LLC, L=Kaysville, ST=Utah, C=United States

                                  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

4. If the connection is client authenticated the server would request the clients certficate

Server Requests Client Cert ->  *** CertificateRequest

                                Cert Types: RSA, DSS, ECDSA

                                Cert Authorities:

Client Must Send This    --->   <CN=training.qvera.com, O=Qvera, OU=Training, L=Kaysville, ST=UT, C=USA>

            Or This      --->   <CN=Qvera Training Cert, O=Qvera, OU=LLC, L=Kaysville, ST=Utah, C=United States>

Server Will Wait For Response > *** ServerHelloDone

Client Found Match (1st Cert) > matching alias: training.qvera.com

Client Sends Cert Back   --->   *** Certificate chain

                                chain [0] = [

                                [

The CertificateRequest Before     Version: V3

the ServerHelloDone indicates     Subject: CN=training.qvera.com, O=Qvera, OU=Training, L=Kaysville, ST=UT, C=USA

 

                                  

5. Now that both sides trust each other we now exchange a session key to use to encrypt all other data. This is is sent by the client and encrypted with the server public certificate so that only the server can decrypt it with the private key.

 

Client Sends Session Key --->   *** ECDHClientKeyExchange

                                ECDH Public value:  { 4, 242, 2, 214, 195, 142, 35, 247, 139, 152, 105, 141, 136, 55, 46, 15, 81, 1, 129, 34, 173, 109, 131, 174, 90, 221, 145, 139, 148, 88, 191, 215, 62, 247, 211, 33, 0, 246, 131, 228, 0, 243, 190, 31, 181, 22, 210, 109, 127, 48, 121, 199, 50, 195, 102, 101, 217, 69, 56, 179, 6, 201, 252, 14, 212 }

                                Thread-20, WRITE: TLSv1 Handshake, length = 974

                                SESSION KEYGEN:

                                

Server Accepts Session Key -->  *** CertificateVerify

                                Thread-20, WRITE: TLSv1 Handshake, length = 262

                                Thread-20, WRITE: TLSv1 Change Cipher Spec, length = 1

                                *** Finished

                                verify_data:  { 164, 40, 105, 20, 127, 37, 47, 162, 66, 76, 243, 117 }

                                ***

                                Thread-20, WRITE: TLSv1 Handshake, length = 48

                                Thread-20, READ: TLSv1 Change Cipher Spec, length = 1

                                Thread-20, READ: TLSv1 Handshake, length = 48

 

6. Connection complete you will see the following in the log.

All Done Secure Connection -->  *** Finished