3.10. SSL connect

Tunneling a protocol over SSL is a simple feast these days. However, troubleshooting it is a difficult task: An extra layer is added and instead of a plain text protocol you are suddenly stuck with a binary protocol.

Since RiOS 8.0, the command ssl-connect provides a method to setup an SSL encrypted TCP session towards a server. It uses the same certificate store as the Steelhead appliance, so it can be used to check if all intermediate certificates are available and valid.

The ssl-connect command supports IPv4 and IPv6 but doesn't recognize the IPv6 address as such, a hostname which resolves into an IPv6 address is required.

Figure 3.55. Usage of the ssl-connect command

CSH # ssl-connect 192.168.1.1:443
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Author \
    ity
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certifi \
    cates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumb \
    er = 07969287
verify return:1
depth=0 O = *.mavetju.org, OU = Domain Control Validated, CN = *.mavetju.org
verify return:1
---
Certificate chain
 0 s:/O=*.mavetju.org/OU=Domain Control Validated/CN=*.mavetju.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/ \
    repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/ \
    repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIHKyoFsgHhjjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
[...]
8gVExh5WcDWWTRAB3IgV+puWx6rFblZ2WTjHKqfvvpfolaCy8+xMVwQI7BJyA6vF
SgMsfQ42zKMwIiHEHM8jdI5AMVM5VCQ=
-----END CERTIFICATE-----
subject=/O=*.mavetju.org/OU=Domain Control Validated/CN=*.mavetju.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.co \
    m/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 2782 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1809B7245E7E42B9F2CAB82B54019B3E20F3923C16A2927A4D3996FAC4528CB5
    Session-ID-ctx: 
    Master-Key: B3DCF9008DBB76B7F0151B723DFB8AFF530310720985BC6739E9E60E7EE64EB8F81B88368A \
    9EA8131D4DE3FBEB77BEF5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1359015123
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
GET / HTTP/1.0
Host: www.mavetju.org

HTTP/1.1 200 OK
Date: Thu, 24 Jan 2013 08:12:29 GMT
Server: Apache/2.2.3 (FreeBSD)
Content-Length: 239
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
X-RBT-Optimized-By: CSH (RiOS 8.0.1) IK

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
[...]
</body></html>
closed

The result code under Verify return code: is how the ssl-client command interprets the certificates. This is a list of possible result codes, obtained of the man page of the OpenSSL verify(1) utility.