TLS handshake failures are among the hardest debug categories. Tools: openssl s_client for shell, Wireshark with TLS decryption for deep analysis, curl -v for application-level. Main signals: ALPN mismatch (HTTP/2 vs 1.1), SNI missing, incomplete cert chain, no cipher overlap, TLS version downgrade.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
openssl s_client -connect example.com:443 -servername example.com -showcertsopenssl s_client -alpn h2,http/1.1 -connect example.com:443openssl s_client -tls1_3 -connect example.com:443, -tls1_2, -tls1openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect example.com:443curl -v https://example.com 2>&1 | grep -E "SSL|TLS|ALPN"| Scenario | Config |
|---|---|
| Basic handshake probe | openssl s_client -connect example.com:443 -servername example.com </dev/null 2>&1 | grep -E "Protocol|Cipher" |
| ALPN negotiation | openssl s_client -alpn h2 -connect example.com:443 </dev/null | grep -i alpn |
| Test TLS 1.3 | openssl s_client -tls1_3 -connect example.com:443 </dev/null |
| Wireshark filter | tcp.port == 443 and tls.record.content_type == 22 # handshake records |
| curl with ciphers | curl -v --tls13-ciphers TLS_AES_128_GCM_SHA256 https://example.com 2>&1 | grep "SSL connection" |
To debug a TLS handshake, use tools like OpenSSL to capture and analyze the handshake process. Start with the command openssl s_client -connect example.com:443 -msg to view detailed messages exchanged during the handshake. If issues arise, check the server's certificate chain, verify supported protocols, and inspect firewall settings. For a deeper analysis, consider using Wireshark to capture network packets.
The TLS handshake is a crucial part of establishing a secure connection between a client and a server. It involves several steps, including:
Debugging this process requires a thorough understanding of each stage and the potential issues that can arise. Here are some common problems and how to troubleshoot them:
openssl x509 -in server.crt -text -noout to inspect the certificate details.openssl s_client -connect example.com:443 -tls1_2 to test TLS 1.2 specifically.openssl ciphers -v to list the available ciphers on the server.Additionally, you can use Wireshark to capture and analyze the TLS handshake. Start Wireshark and apply a filter for TLS traffic:
tlsAfter capturing the packets, look for the 'Client Hello' and 'Server Hello' messages to diagnose where the handshake fails. Each message will provide insights into the supported versions and cipher suites, allowing you to identify mismatches.
For instance, if the 'Client Hello' offers TLS 1.2 but the 'Server Hello' responds with a TLS 1.0 session, it indicates a version mismatch. In such cases, ensure that the server is configured to support the desired protocols by checking server settings in configuration files like nginx.conf or httpd.conf.
In conclusion, debugging a TLS handshake involves a systematic approach: analyze the handshake messages, verify certificates, check protocol and cipher compatibility, and utilize network analysis tools. By methodically addressing each component, you can effectively troubleshoot and resolve TLS handshake issues.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeRun browser with <code>SSLKEYLOGFILE=/tmp/sslkeys.log</code>. In Wireshark → Edit → Preferences → TLS → (Pre)-Master-Secret log → /tmp/sslkeys.log.
Yes, server offers in preference order. Negotiated cipher is in the "Cipher: XXX" line.
<code>openssl s_client -status -connect example.com:443 </dev/null 2>&1 | grep "OCSP Response"</code>. Should be "OCSP Response Status: successful".
DevTools → Security tab → Connection. Or <code>chrome://net-internals/#ssl</code>.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.