Skip to main content
Devmino

Debugging TLS Setup Issues: Tools and Commands

·320 words·2 mins
TLS MTLS
Table of Contents

I recently encountered an mTLS issue, and the following commands and tools were quite helpful in diagnosing and resolving the problem.

OpenSSL Commands
#

Establish a TLS connection

openssl s_client -connect  host:port

Force a Specific TLS Version
To force TLS 1.3:

openssl s_client -connect  host:port -tls1_3

This allows you to test compatibility with specific TLS versions.

Specify a Cipher Suite

openssl s_client -connect  host:port -ciphersuites TLS_AES_256_GCM_SHA384

Display the Entire Certificate Chain

openssl s_client -connect host:port -showcerts

Print Session Information even if Handshake Fails

openssl s_client -connect host:port -showcerts -prexit

This is particularly useful for mTLS.

Establish a mTLS connection

openssl s_client -connect host:port -cert client_cert.pem -key client_key.pem -CAfile ca_cert.pem

View Acceptable Client Certificate CA Names
For mTLS, you can see acceptable CA names in the openssl output:

---
Acceptable client certificate CA names
[...]
---

View Certificate Details

openssl x509 -in cert.pem -noout -text

Display Certificate Fingerprint

openssl x509 -noout -fingerprint -in cert.pem

Verify Key Integrity

openssl rsa -in key.pem -check

Verify Certificate Chain
To verify the chain, such as for a client certificate:

openssl verify -CAfile ca_cert.pem client_cert.pem

Extract Modules
Extract modules from cert and private key to compare if they match as expected.

openssl x509 -in client_cert.pem -noout -modulus
openssl rsa -in client_key.pem -noout -modulus

testssl.ssh
#

drwetter/testssl.sh

Testing TLS/SSL encryption anywhere on any port

Shell
7718
1003

testssl.sh is a great command-line tool that provides in-depth analysis of a server’s TLS configuration with a single command:

testssl.sh host:port

It offers a wealth of information, including supported protocols, cipher suites, certificate details, and vulnerability assessments.

curl
#

Even a simple curl command can be helpful for debugging TLS issues. By running curl -vv host:port, you get a verbose output detailing the connection establishment process, including TLS handshake details.

Recommended Ciphers #

For an overview of recommended cipher suites, Cloudflare provides excellent guidance. Check out their recommendations here.

Additionally, testssl.sh can also provide insights into the server’s supported ciphers.

Amin Chawki
Author
Amin Chawki
Senior Software Engineer