Home / server / Questions / 40905
Accepted
Jason Stangroome
Asked: 2009-07-15 23:09:18 +0800 CST

How to simulate connection to HTTPS and record the handshake?

  • 772

I have a farm of IIS 6 web servers hosting a website over HTTP and HTTPS. With Safari 4 on a Mac, connecting over HTTPS, some nodes in the farm trigger the browser to raise a certificate error to the user, the other nodes work fine. Always the same nodes cause the problem but the problem does not appear to occur in IE or Chrome.

I presume these nodes in the farm are misconfigured but I cannot easily identify the problem from looking at the individual server setups. I'd like to point a client-side tool at a known good node and capture the SSL client and server hello, the certificate message, the key exchange, etc from the client's perspective, unencrypted and then repeat on a known problem node and then compare.

Can you please suggest any Windows tools for this, or perhaps a better way to diagnose the fault?

iis-6 certificate https

4 Answers

  1. Best Answer

    I've often used OpenSSL's s_client. I don't see why the Win32 version shouldn't work the same.

    You can use the following command to be very verbose about the SSL handshake:

    openssl s_client -debug -msg -state -status -showcerts -connect <host>:443

    You can then drop some of the arguments off if you wish to be less chatty.

    You may also wish to specify -CAfile with your sole signing CA.

    • 5

  2. The article The First Few Milliseconds of an HTTPS Connection explains what are you looking for.

    • 2

  3. Have a look at fiddler2 - http://www.fiddler2.com

    "Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language."

    Fiddler is a great general purpose web debugging tool. Now, for your purposes you might want to combine the advice from David in terms of connecting to each of the servers individually with the ability to trace from Fiddler what is going on. It's obviously key to know which server you are connecting to so that you can identify exactly where the problem lies

    • 1

  4. How is the farm configured? If you can see each node of the farm (i.e. you are on the same network directly or via VPN, or they have public facing IP addresses), could you not connect to each and see which is having certificate problems?

    For each node:

    • completely close your browser (in case it has cached the IP address associated with the name, as we are about to change that association locally in the next step)
    • associate its direct address with the (sub)domain name that you expect to be on the certificate by adding an entry in your hosts file (c:\windows\system32\drivers\etc\hosts on most Windows configurations)
    • open your browser and go to the site
    • 0