Tunneling a protocol over SSL is a simple feast these days. However, troubleshooting it is a difficult task: An extra layer is added and instead of a plain text protocol you are suddenly stuck with a binary protocol.
Since RiOS 8.0, the command
ssl-connect
provides a method to setup an SSL encrypted TCP session towards a
server. It uses the same certificate store as the Steelhead appliance,
so it can be used to check if all intermediate certificates are
available and valid.
The ssl-connect command supports IPv4 and IPv6 but doesn't recognize the IPv6 address as such, a hostname which resolves into an IPv6 address is required.
Figure 3.55. Usage of the ssl-connect command
CSH # ssl-connect 192.168.1.1:443 CONNECTED(00000003) depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Author \ ity verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certifi \ cates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumb \ er = 07969287 verify return:1 depth=0 O = *.mavetju.org, OU = Domain Control Validated, CN = *.mavetju.org verify return:1 --- Certificate chain 0 s:/O=*.mavetju.org/OU=Domain Control Validated/CN=*.mavetju.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/ \ repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/ \ repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFUzCCBDugAwIBAgIHKyoFsgHhjjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY [...] 8gVExh5WcDWWTRAB3IgV+puWx6rFblZ2WTjHKqfvvpfolaCy8+xMVwQI7BJyA6vF SgMsfQ42zKMwIiHEHM8jdI5AMVM5VCQ= -----END CERTIFICATE----- subject=/O=*.mavetju.org/OU=Domain Control Validated/CN=*.mavetju.org issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.co \ m/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- No client certificate CA names sent --- SSL handshake has read 2782 bytes and written 439 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 1809B7245E7E42B9F2CAB82B54019B3E20F3923C16A2927A4D3996FAC4528CB5 Session-ID-ctx: Master-Key: B3DCF9008DBB76B7F0151B723DFB8AFF530310720985BC6739E9E60E7EE64EB8F81B88368A \ 9EA8131D4DE3FBEB77BEF5 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1359015123 Timeout : 300 (sec) Verify return code: 0 (ok) --- GET / HTTP/1.0 Host: www.mavetju.org HTTP/1.1 200 OK Date: Thu, 24 Jan 2013 08:12:29 GMT Server: Apache/2.2.3 (FreeBSD) Content-Length: 239 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 X-RBT-Optimized-By: CSH (RiOS 8.0.1) IK <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> [...] </body></html> closed
The result code under Verify return code: is how the ssl-client command interprets the certificates. This is a list of possible result codes, obtained of the man page of the OpenSSL verify(1) utility.
0 / Ok: The operation was successful.
2 / Unable to get issuer certificate: The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.
4 / Unable to decrypt certificate's signature: The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.
6 / Unable to decode issuer public key: The public key in the certificate SubjectPublicKeyInfo could not be read.
7 / Certificate signature failure: The signature of the certificate is invalid.
9 / Certificate is not yet valid: The certificate is not yet valid: the notBefore date is after the current time.
10 / Certificate has expired: The certificate has expired: that is the notAfter date is before the current time.
13 / Format error in certificate's notBefore field: The certificate notBefore field contains an invalid time.
14 / Format error in certificate's notAfter field: The certificate notAfter field contains an invalid time.
17 / Out of memory: An error occurred trying to allocate memory. This should never happen.
18 / Self signed certificate: The passed certificate is self-signed and the same certificate cannot be found in the list of trusted certificates.
19 / Self signed certificate in certificate chain: The certificate chain could be built up using the untrusted certificates but the root could not be found locally.
20 / Unable to get local issuer certificate: The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
21 / Unable to verify the first certificate: No signatures could be verified because the chain contains only one certificate and it is not self-signed.
24 / Invalid CA certificate: A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.
25 / Path length constraint exceeded: The basicConstraints pathlength parameter has been exceeded.
26 / Unsupported certificate purpose: The supplied certificate cannot be used for the specified purpose.
27 / Certificate not trusted: The root CA is not marked as trusted for the specified purpose.
28 / Certificate rejected: The root CA is marked to reject the specified purpose.
29 / Subject issuer mismatch: The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate.
30 / Authority and subject key identifier mismatch: The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate.
31 / Authority and issuer serial number mismatch: The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate.
32 / Key usage does not include certificate signing: The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing.
24 / Invalid CA certificate: A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.
25 / Path length constraint exceeded: The basicConstraints pathlength parameter has been exceeded.
26 / Unsupported certificate purpose: The supplied certificate cannot be used for the specified purpose.
27 / Certificate not trusted: The root CA is not marked as trusted for the specified purpose.
28 / Certificate rejected: The root CA is marked to reject the specified purpose.
29 / Subject issuer mismatch: The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate.
30 / Authority and subject key identifier mismatch: The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate.
31 / Authority and issuer serial number mismatch: The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate.
32 / Key usage does not include certificate signing: The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing.