A List of SSL third-party debugging tools.

book

Article ID: 35741

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction


  Question:

  I am having an SSL issue with APM (such as the EM or TIM.) What third-party tools can I use to debug these issues?


  Answer:

  There are a variety of tools that one can use. Some of the more popular ones are:

  1) OpenSSL Toolkit -- Use to check if the private key is correct. Helpful in verifying if SSL is enabled, with which protocol (SSLv3/TLSv1), and to pull the CA Public  Certificate regardless if the server is a web server on HTTPS or a LDAP server using LDAPS (including Active Directory)


  Typically, this binary is part of the operating system, or part of most solutions.  No need to install.

  Examples:

  openssl  s_client  -connect  hostname:port  -showcerts      [Great command to capture the CA Public Cert from the console, including the intermediate and root    certs; no need to use other tools]

  openssl s_client  -connect  hostname:port  -ssl3     [Confirm if SSLv3 is used; this should be blocked, unless the solution is NOT able to use TLS1 or higher]

  2) SSLDump -- Not updated in many years but helpful with SSL cipher suites.

  3) Wireshark -- Use to see cipher suites, compression, alert codes, and CP resets.

  4) Netstat -- Use to see open and hung connections.

  5) Microsoft Network Monitor for Windows -- View network traffic.

 6) Fiddler -- View HTTP/HTTPS from a browser perspective.

 7) Keytool or Keystore Explorer for java keystores.

 8) Create a CA root for testing.
 9) Mozilla has a great page on SSL cipher suites.
 10) Tcpreplay - to replay the traffic into the TIM with pre-loaded private key for that traffic flow.
 11) SSL Server Test -- Many examples of these type of pages.

 Additional information:
 1) OpenSSL Toolkit -- https://www.openssl.org/source/ -- Linux & https://slproweb.com/products/Win32OpenSSL.html -- Windows
 2) SSLDump -- http://ssldump.sourceforge.net/
 3) Wireshark -- https://www.wireshark.org/
 4) Netstat -- https://en.wikipedia.org/wiki/Netstat
 5) Microsoft Network Monitor -- http://www.microsoft.com/en-us/download/details.aspx?id=4865
 6) Fiddler -- http://www.telerik.com/fiddler
 7) Keytool -- https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
     Keytool Explorer -- http://keystore-explorer.sourceforge.net/
 8) CA Root Tool -- 
    https://jamielinux.com/docs/openssl-certificate-authority/
 9) Mozilla SSL Cipher Suite page -- https://wiki.mozilla.org/Security/Server_Side_TLS
10) Tcpreplay -- http://tcpreplay.appneta.com/ There are many other sites. 

11) SSL Server Test -- https://www.ssllabs.com/ssltest/index.html

Environment

Release:
Component: APMCEM