Verifying SSL / SNI Configuration for HTTPD

Today I ran into an issue, where I was needing to troubleshoot and/or verify that our SSL / SNI Configurations were working properly for one or more HTTPS endpoints.

To accomplish this I utilized Wireshark along with cURL to send REST requests thru our HTTP Proxy so that we could capture packets to demonstrate the SSL Handshake was working and also view the logs on our Proxy Host. I came across a few gotchas, that are worth remembering as well as sharing…

PROBLEM: You are needing to troubleshoot and/or verify that your SSL / SNI (Server Name Indication) configurations are working properly for one or more HTTPS endpoints.

TOOLS: Wireshark (version 2.0.2), cURL (version 7.43.0)

SOLUTION: First, you will simply need to install Wireshark and cURL if you do not use these tools already. I have included the version numbers above that I used this morning.

Once the tools are installed you will simply launch Wireshark and create a filter for the ip host that you are passing into your curl command as <ip_address>

Start a new capture using your filter and execute one of the example commands below.

EXAMPLE CURL (LINUX)

curl -v --cert <path/to/certificate.pem> --key <path/to/key> --resolve <hostname>:<port>:<ip_address>

EXAMPLE CURL using .pfx (OSX)

curl -v —-cert “<path/to/certificate.pfx>:<password>” “<https://endpoint>" --resolve <hostname>:<port>:<ip_address>

NOTE: For a Mac OSX client you will needed to create a .pfx to supportPKCS#12. Here is the openssl command below you’ll need to use… you will be prompted to create a password.

openssl pkcs12 -export -out <filename-for-new-pfx> -inkey <path-to-key-file> -in <path-to-pem-file>

From here you should be able to verify via the Command Line output (-v for Verbose) and the Packet Capture (via Wireshark) if your SSL / SNI Configuration is working as expected.

Depending on your httpd logging configuration you should be able to tail the logs at /etc/httpd/logs for additional data points directly from the proxy host itself.

Final Tip: It is important to note that passing in the the -k option with our cURL command does not support SNI, and you will most likely get a negative result!

Originally published at medium.com on April 11, 2016.