Background:
Nowadays almost every service support connection over TLS to encrypt data in transit to protect data.
You may experience exceptions or errors when establishing TLS connections with Azure services. Exceptions are vary dramatically depending on the client and server types. A typical ones such as "Could not create SSL/TLS secure channel." "SSL Handshake Failed", etc.
In this article we will discuss common causes of TLS related issue and troubleshooting steps.
How SSL/TLS connections are established:
Before we start, let us get to know how SSL/TLS connections are established. I know there are millions of articles out there explaining the same handshake process using different colors, styles and arrows, so here comes my version:
SSL/TLS connection real case example:
Below is a real example showing how it looks like in network packet.
If you capture network packet using Wireshark, Netmon or tcpdump, you can open the file in Wireshark.
Below is an example:
You may filter for “TLS” or “Client Hello” to locate the first TLS packet.
1. Client Hello
2. Server Hello
As you can see all elements needed during TLS connection are available in the network packet.
If you capture network packet for a not working case, you can compare with the above working one and find in which step it fails.
However in some cases, capturing network packet is not the best option or not even an option due to security reasons, for example many Azure PaaS service, such as Storage, Serivce Bus, etc are hosting in a shared tenant and we cannot capture the packet on server end. In those scenarios there are also a few handy tools available for troubleshooting.
In next blogs, I will introduce more TLS troubleshooting methods, common causes and corresponding solutions. Stay tuned.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.