Technical Bulletin 52609
Mutual Transport Layer Security Provisioning Using Microsoft Internet Information Services 6.0
45
Troubleshooting
Issue Do the following...
How can I tell if mutual TLS is
working?
In the serial log, you will see <MACaddress>.cfg being downloaded. The first
section of the log shows one-way SSL working correctly, as shown below:
0727210309|copy |3|00|'https://:****@Server A.qaad.local/0004f22434da.cfg' from
'Server A.qaad.local(172.23.0.81)'
0727210309|curl |3|00|timeout on name lookup is not supported
0727210309|curl |3|00|About to connect() to Server A.qaad.local port 443 (#0)
0727210309|curl |3|00| Trying 172.23.0.81...
0727210309|curl |3|00|Connected to Server A.qaad.local (172.23.0.81) port 443 (#0)
0727210309|curl |3|00|successfully set certificate verify locations:
0727210309|curl |3|00| CAfile: /ffs0/ca-bundle.crt CApath: none
0727210309|curl |3|00|SSLv3, TLS handshake, Client hello (1):
0727210309|curl |3|00|SSLv3, TLS handshake, Server hello (2):
0727210309|curl |3|00|SSLv3, TLS handshake, CERT (11):
0727210309|curl |3|00|SSLv3, TLS handshake, Server finished (14):
0727210309|curl |3|00|SSLv3, TLS handshake, Client key exchange (16):
0727210309|curl |3|00|SSLv3, TLS change cipher, Client hello (1):
0727210309|curl |3|00|SSLv3, TLS handshake, Finished (20):
0727210309|curl |3|00|SSLv3, TLS change cipher, Client hello (1):
0727210309|curl |3|00|SSLv3, TLS handshake, Finished (20):
0727210309|curl |3|00|SSL connection using RC4-SHA
0727210309|curl |3|00|Server certificate:
0727210309|curl |3|00| subject: C=CA, ST=burnaby, L=bc, O=polycom, OU=polycom,
CN=Server A.qaad.local
0727210309|curl |3|00| start date: 2009-07-23 21:04:34 GMT
0727210309|curl |3|00| expire date: 2011-07-23 21:04:34 GMT
0727210309|curl |3|00| common name: Server A.qaad.local (matched)
0727210309|curl |3|00| issuer: DC=local, DC=qaad, CN=Server A
0727210309|curl |3|00| SSL certificate verify ok.
The second section of the log shows mutual TLS being established, as shown
below:
0727210309|curl |3|00|SSLv3, TLS handshake, Hello request (0):
0727210309|curl |3|00|SSLv3, TLS handshake, Client hello (1):
0727210309|curl |3|00|SSLv3, TLS handshake, Server hello (2):
0727210309|curl |3|00|SSLv3, TLS handshake, CERT (11):
0727210309|curl |3|00|SSLv3, TLS handshake, Request CERT (13):
0727210309|curl |3|00|SSLv3, TLS handshake, Server finished (14):
0727210309|curl |3|00|SSLv3, TLS handshake, CERT (11):
0727210309|curl |3|00|SSLv3, TLS handshake, Client key exchange (16):
0727210309|curl |3|00|SSLv3, TLS handshake, CERT verify (15):
0727210309|curl |3|00|SSLv3, TLS change cipher, Client hello (1):
0727210309|curl |3|00|SSLv3, TLS handshake, Finished (20):
0727210309|curl |3|00|SSLv3, TLS change cipher, Client hello (1):
0727210309|curl |3|00|SSLv3, TLS handshake, Finished (20):
0727210309|curl |3|00|Connection #0 to host Server A.qaad.local left intact
Note: The above SSL logs are created for each file that is accessed.
You can verify that mutual TLS is working correctly when <MACaddress>.cfg is
downloaded successfully, as shown below:
0727210309|copy |3|00|Download of '0004f22434da.cfg' succeeded on attempt 1 (addr 1 of 1)
Mutual TLS is not working correctly if you receive a 403 error. You may also
receive 404 errors that indicate that files cannot be found on your boot server.