SSL/TLS Debugging

Common issues.

Certificate issues

Most TLS production failures are certificate failures. Expiry, wrong domain, broken chain; three categories cover almost all incidents and each has a one-line diagnostic.

• Expired certificate. openssl x509 -in cert.pem -enddate -noout; catches expiration before the customer reports it.
• Wrong domain. openssl s_client -connect host:443 -servername domain; verifies the served cert matches the SNI.
• Chain broken. openssl s_client -showcerts -connect host:443; missing intermediate is the classic failure mode.
• Auto-renewal pipeline. Per-cert auto-renewal; prevents expiry incidents at the source instead of catching them at the alert.

Handshake failures

Handshake failures are negotiation failures: cipher suite, protocol, SNI. Modern clients and modern servers usually agree; legacy stacks fight.

• Cipher suite mismatch. Client and server cannot agree on a cipher; per-stack supported cipher list determines the overlap.
• Protocol mismatch. TLS 1.3 client, TLS 1.0 server, or vice versa; check per-stack supported protocols.
• SNI not supported. Ancient clients omit SNI; the server cannot pick the right cert; the failure looks like cert mismatch.
• Per-host protocol minimum. Explicit minimum TLS version per host; the discipline matches modern security expectations.

Performance issues

TLS adds latency; session resumption, OCSP stapling, and TLS 1.3 claw most of it back. Without the optimisations, every connection pays the full handshake cost.

• Handshake latency. 50-200ms typical for a fresh handshake; the per-host resumption rate is the optimisation lever.
• OCSP stapling. Per-server pre-fetched revocation status; reduces client-side roundtrips during the handshake.
• TLS 1.3. Per-stack 1.3 default; faster handshake than 1.2; one round trip instead of two.
• Cluster session-ticket sharing. Per-cluster shared session keys; supports horizontal scale without losing resumption.

Debugging tools

The standard tools cover most TLS investigation. Reach for openssl first; escalate to packet-level only when the handshake itself is the mystery.

• openssl s_client. Per-handshake full debug output; verbose; gives every field; the canonical first call.
• curl -v --tls13. Per-request connection-level TLS debug; application-friendly; matches the production SDK behaviour.
• Wireshark. Per-incident packet-level inspection; reserve for advanced cases where the openssl output does not explain.
• Per-host SSL Labs scan. Third-party external scan; catches misconfiguration the internal view misses.