2

I have a farm of IIS 6 web servers hosting a website over HTTP and HTTPS. With Safari 4 on a Mac, connecting over HTTPS, some nodes in the farm trigger the browser to raise a certificate error to the user, the other nodes work fine. Always the same nodes cause the problem but the problem does not appear to occur in IE or Chrome.

I presume these nodes in the farm are misconfigured but I cannot easily identify the problem from looking at the individual server setups. I'd like to point a client-side tool at a known good node and capture the SSL client and server hello, the certificate message, the key exchange, etc from the client's perspective, unencrypted and then repeat on a known problem node and then compare.

Can you please suggest any Windows tools for this, or perhaps a better way to diagnose the fault?

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
Jason Stangroome
  • 345
  • 7
  • 21

4 Answers4

5

I've often used OpenSSL's s_client. I don't see why the Win32 version shouldn't work the same.

You can use the following command to be very verbose about the SSL handshake:

openssl s_client -debug -msg -state -status -showcerts -connect <host>:443

You can then drop some of the arguments off if you wish to be less chatty.

You may also wish to specify -CAfile with your sole signing CA.

Dan Carley
  • 25,617
  • 5
  • 53
  • 70
2

The article The First Few Milliseconds of an HTTPS Connection explains what are you looking for.

FerranB
  • 1,372
  • 2
  • 18
  • 28
1

Have a look at fiddler2 - http://www.fiddler2.com

"Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language."

Fiddler is a great general purpose web debugging tool. Now, for your purposes you might want to combine the advice from David in terms of connecting to each of the servers individually with the ability to trace from Fiddler what is going on. It's obviously key to know which server you are connecting to so that you can identify exactly where the problem lies

James Berry
  • 123
  • 5
  • I am familiar with Fiddler2... great tool. Unfortunately it seems to use its own certs when proxying HTTPS traffic and doesn't reveal sufficient information about the SSL handshake with the server. – Jason Stangroome Jul 15 '09 at 22:40
  • It does for me. I had it intercept https traffic, and it shows the server certificate detail under the inspector view of the CONNECT line... – James Berry Jul 16 '09 at 12:11
0

How is the farm configured? If you can see each node of the farm (i.e. you are on the same network directly or via VPN, or they have public facing IP addresses), could you not connect to each and see which is having certificate problems?

For each node:

  • completely close your browser (in case it has cached the IP address associated with the name, as we are about to change that association locally in the next step)
  • associate its direct address with the (sub)domain name that you expect to be on the certificate by adding an entry in your hosts file (c:\windows\system32\drivers\etc\hosts on most Windows configurations)
  • open your browser and go to the site
David Spillett
  • 22,754
  • 45
  • 67
  • I have already done this. I know which nodes in the farm are wrong. Unfortunately the details in the error presented by the browser are insufficient to determine what is misconfigured on those servers. – Jason Stangroome Jul 15 '09 at 22:37