SSL/TLS Debugging

Common issues.

Certificate issues

Expired certificate: openssl x509 -in cert.pem -enddate -noout. Catches expiration before customer reports.

Wrong domain: openssl s_client -connect host:443 -servername domain. Verify the served cert matches the request domain.

Chain broken: openssl s_client -showcerts -connect host:443. The full chain should be visible; missing intermediate is common.

Handshake failures

Cipher suite mismatch: client and server cannot agree on cipher. Update one or both.

Protocol mismatch: TLS 1.3 client, TLS 1.0 server (or vice versa). Modernise.

SNI not supported: ancient clients. Update or accept the limitation.

Performance issues

TLS handshake latency: 50-200ms typical. Add session resumption for repeat connections.

OCSP stapling: server pre-fetches revocation status. Reduces client-side roundtrips.

TLS 1.3: faster handshake than 1.2. Modern stacks should default to 1.3.

Debugging tools

openssl s_client: full handshake debug.

curl -v --tls13: connection-level TLS debug.

Wireshark: packet-level for advanced cases.