SSL/TLS connection issue troubleshooting guide

Published 01-29-2021 04:06 AM 2,327 Views
Microsoft

Background:

 

Nowadays almost every service support connection over TLS to encrypt data in transit to protect data.

 

You may experience exceptions or errors when establishing TLS connections with Azure services. Exceptions are vary dramatically depending on the client and server types. A typical ones such as  "Could not create SSL/TLS secure channel." "SSL Handshake Failed", etc.

 

In this article we will discuss common causes of TLS related issue and troubleshooting steps.

 

How SSL/TLS connections are established:

 

Before we start, let us get to know how SSL/TLS connections are established. I know there are millions of articles out there explaining the same handshake process using different colors, styles and arrows, so here comes my version:

 

 

Shi_Ding_0-1611915237959.jpeg

 

 

  1. It is always client that starts a conversation. Client says "Hello, I would like to talk to you secretly by encrypting the messages. Here is my TLS version and a list CipherSuite I have on my hand. "
  2. Server checks if itself supports same TLS version and go through server's own CipherSuite lists to see if there is any matching ones.
  3. Server replies "Hello back, we can use the TLS version you sent and I find this CipherSuite from your list on my hand as well. Let's use this TLS version and CipherSuite. By the way here is my certificate (certificate chain) with my public key for you to check my identity."
  4. Client review server's certificate, verify if the certificate is expired, if it is issued to the same server name client tried to access, if the certificate issuer is trustable, or if the certificate is ever revoked, etc. Once verification passed, client creates a random secret and encrypt with server's public key (derived from server certificate).
  5. Client says "Alright let's use you picked cipher, here is secret key I encrypted with your public key. Let me know if you can understand."
  6. The message sent from client can be only decrypted using server's private key which is known by server only and cannot be peeked by others. So yes server is able to decrypt the secret key.
  7. Server replies "Let's encrypt using our own secret key and let's get our secret conversation start now!" (Normally server and client generate another key so called Master Key using the secrete key and agreed algorithm. Both server and client use the Master key for following message encryption and decryption. This step may be vary for different ciphers )
  8. *#FSNV%^&BSJ}D#@#(#*;]#  (Client and server starts their own secret conversation encrypted with their agreed secret key which I don't even understand…)

 

SSL/TLS connection real case example:

 

Below is a real example showing how it looks like in network packet.  

If you capture network packet using Wireshark, Netmon or tcpdump, you can open the file in Wireshark.

 

Below is an example:

 

You may filter for “TLS” or “Client Hello” to locate the first TLS packet. 

 

Shi_Ding_1-1611916000629.jpeg

 

1. Client Hello

 

Shi_Ding_2-1611916136343.png

 

2. Server Hello 

 

Shi_Ding_3-1611917038542.png

 

 

As you can see all elements needed during TLS connection are available in the network packet.

If you capture network packet for a not working case, you can compare with the above working one and find in which step it fails.

 

 

However in some cases, capturing network packet is not the best option or not even an option due to security reasons, for example many Azure PaaS service, such as Storage, Serivce Bus, etc are hosting in a shared tenant and we cannot capture the packet on server end. In those scenarios there are also a few handy tools available for troubleshooting.

 

In next blogs, I will introduce more TLS troubleshooting methods, common causes and corresponding solutions. Stay tuned.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2108065%22%20slang%3D%22en-US%22%3ESSL%2FTLS%20connection%20issue%20troubleshooting%20guide%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108065%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBackground%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENowadays%20almost%20every%20service%20support%20connection%20over%20TLS%20to%20encrypt%20data%20in%20transit%20to%20protect%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20may%20experience%20exceptions%20or%20errors%20when%20establishing%20TLS%20connections%20with%20Azure%20services.%20Exceptions%20are%20vary%20dramatically%20depending%20on%20the%20client%20and%20server%20types.%20A%20typical%20ones%20such%20as%26nbsp%3B%20%22Could%20not%20create%20SSL%2FTLS%20secure%20channel.%22%20%22SSL%20Handshake%20Failed%22%2C%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20article%20we%20will%20discuss%20common%20causes%20of%20TLS%20related%20issue%20and%20troubleshooting%20steps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20SSL%2FTLS%20connections%20are%20established%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBefore%20we%20start%2C%20let%20us%20get%20to%20know%20how%20SSL%2FTLS%20connections%20are%20established.%20I%20know%20there%20are%20millions%20of%20articles%20out%20there%20explaining%20the%20same%20handshake%20process%20using%20different%20colors%2C%20styles%20and%20arrows%2C%20so%20here%20comes%20my%20version%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Shi_Ding_0-1611915237959.jpeg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250548iE75F226DD3955F28%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Shi_Ding_0-1611915237959.jpeg%22%20alt%3D%22Shi_Ding_0-1611915237959.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EIt%20is%20always%20client%20that%20starts%20a%20conversation.%20Client%20says%20%22Hello%2C%20I%20would%20like%20to%20talk%20to%20you%20secretly%20by%20encrypting%20the%20messages.%20Here%20is%20my%20TLS%20version%20and%20a%20list%20CipherSuite%20I%20have%20on%20my%20hand.%20%22%3C%2FLI%3E%0A%3CLI%3EServer%20checks%20if%20itself%20supports%20same%20TLS%20version%20and%20go%20through%20server's%20own%20CipherSuite%20lists%20to%20see%20if%20there%20is%20any%20matching%20ones.%3C%2FLI%3E%0A%3CLI%3EServer%20replies%20%22Hello%20back%2C%20we%20can%20use%20the%20TLS%20version%20you%20sent%20and%20I%20find%20this%20CipherSuite%20from%20your%20list%20on%20my%20hand%20as%20well.%20Let's%20use%20this%20TLS%20version%20and%20CipherSuite.%20By%20the%20way%20here%20is%20my%20certificate%20(certificate%20chain)%20with%20my%20public%20key%20for%20you%20to%20check%20my%20identity.%22%3C%2FLI%3E%0A%3CLI%3EClient%20review%20server's%20certificate%2C%20verify%20if%20the%20certificate%20is%20expired%2C%20if%20it%20is%20issued%20to%20the%20same%20server%20name%20client%20tried%20to%20access%2C%20if%20the%20certificate%20issuer%20is%20trustable%2C%20or%20if%20the%20certificate%20is%20ever%20revoked%2C%20etc.%20Once%20verification%20passed%2C%20client%20creates%20a%20random%20secret%20and%20encrypt%20with%20server's%20public%20key%20(derived%20from%20server%20certificate).%3C%2FLI%3E%0A%3CLI%3EClient%20says%20%22Alright%20let's%20use%20you%20picked%20cipher%2C%20here%20is%20secret%20key%20I%20encrypted%20with%20your%20public%20key.%20Let%20me%20know%20if%20you%20can%20understand.%22%3C%2FLI%3E%0A%3CLI%3EThe%20message%20sent%20from%20client%20can%20be%20only%20decrypted%20using%20server's%20private%20key%20which%20is%20known%20by%20server%20only%20and%20cannot%20be%20peeked%20by%20others.%20So%20yes%20server%20is%20able%20to%20decrypt%20the%20secret%20key.%3C%2FLI%3E%0A%3CLI%3EServer%20replies%20%22Let's%20encrypt%20using%20our%20own%20secret%20key%20and%20let's%20get%20our%20secret%20conversation%20start%20now!%22%20(Normally%20server%20and%20client%20generate%20another%20key%20so%20called%20Master%20Key%20using%20the%20secrete%20key%20and%20agreed%20algorithm.%20Both%20server%20and%20client%20use%20the%20Master%20key%20for%20following%20message%20encryption%20and%20decryption.%20This%20step%20may%20be%20vary%20for%20different%20ciphers%20)%3C%2FLI%3E%0A%3CLI%3E*%23FSNV%25%5E%26amp%3BBSJ%7DD%23%40%23(%23*%3B%5D%23%26nbsp%3B%20(Client%20and%20server%20starts%20their%20own%20secret%20conversation%20encrypted%20with%20their%20agreed%20secret%20key%20which%20I%20don't%20even%20understand%E2%80%A6)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESSL%2FTLS%20connection%20real%20case%20example%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBelow%20is%20a%20real%20example%20showing%20how%20it%20looks%20like%20in%20network%20packet.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20capture%20network%20packet%20using%20%3CA%20href%3D%22https%3A%2F%2Fwww.wireshark.org%2Fdownload.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EWireshark%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D4865%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ENetmon%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fwww.tcpdump.org%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Etcpdump%3C%2FA%3E%2C%20you%20can%20open%20the%20file%20in%20Wireshark.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBelow%20is%20an%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20may%20filter%20for%20%E2%80%9CTLS%E2%80%9D%20or%20%E2%80%9CClient%20Hello%E2%80%9D%20to%20locate%20the%20first%20TLS%20packet.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Shi_Ding_1-1611916000629.jpeg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250549i2CDB4644FE2D7421%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Shi_Ding_1-1611916000629.jpeg%22%20alt%3D%22Shi_Ding_1-1611916000629.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Client%20Hello%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Shi_Ding_2-1611916136343.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250550i6994766F0CB90696%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Shi_Ding_2-1611916136343.png%22%20alt%3D%22Shi_Ding_2-1611916136343.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Server%20Hello%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Shi_Ding_3-1611917038542.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250557i0E8096A93150F529%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Shi_Ding_3-1611917038542.png%22%20alt%3D%22Shi_Ding_3-1611917038542.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%20all%20elements%20needed%20during%20TLS%20connection%20are%20available%20in%20the%20network%20packet.%3C%2FP%3E%0A%3CP%3EIf%20you%20capture%20network%20packet%20for%20a%20not%20working%20case%2C%20you%20can%20compare%20with%20the%20above%20working%20one%20and%20find%20in%20which%20step%20it%20fails.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%20in%20some%20cases%2C%20capturing%20network%20packet%20is%20not%20the%20best%20option%20or%20not%20even%20an%20option%20due%20to%20security%20reasons%2C%20for%20example%20many%20Azure%20PaaS%20service%2C%20such%20as%20Storage%2C%20Serivce%20Bus%2C%20etc%20are%20hosting%20in%20a%20shared%20tenant%20and%20we%20cannot%20capture%20the%20packet%20on%20server%20end.%20In%20those%20scenarios%20there%20are%20also%20a%20few%20handy%20tools%20available%20for%20troubleshooting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20next%20blogs%2C%20I%20will%20introduce%20more%20TLS%20troubleshooting%20methods%2C%20common%20causes%20and%20corresponding%20solutions.%20Stay%20tuned.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2108065%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20may%20experience%20exceptions%20or%20errors%20when%20establishing%20TLS%20connections%20with%20Azure%20services.%20Exceptions%20are%20vary%20dramatically%20depending%20on%20the%20client%20and%20server%20types.%20A%20typical%20ones%20such%20as%26nbsp%3B%20%22Could%20not%20create%20SSL%2FTLS%20secure%20channel.%22%20%22SSL%20Handshake%20Failed%22%2C%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20article%20we%20will%20discuss%20common%20causes%20of%20TLS%20related%20issue%20and%20troubleshooting%20steps.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2108065%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Batch%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Blockchain%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Cache%20for%20Redis%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Cloud%20Service%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Event%20Hub%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Redis%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Service%20Bus%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Service%20Fabric%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Storage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENotification%20Hub%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Jan 29 2021 03:03 AM
Updated by: