Testing SSL from Netscaler–Issues with SSL handshake

From time to time we need to setup load balancing to a SSL based service or when setting up connection to a secure Storefront (which is the default) there is one thing that alot of people are missing from the config when setting up, which results in wierd issues or getting SSL handshake errors from the monitors. In most cases it because of two things

  • Missing Root CA
  • Wrong Ciphers or not supported ciphers

So how can we verify from the Netscaler that it is missing the rootCA or that we have the right CA in place?

That is when we uses OpenSSL, which is a toolkit that is used on the Netscaler, which also has a commandline interface which allow us to test different parameters.

So if we enter Shell on the Netscaler and then do a CD to /nsconfig/ssl (This is where all the NS certificates are stored by default and from there we can use OpenSSL.

By using the command

openssl s_client –connect FQDN

First of this will show us, the certificate that is presented, and the certificate chain. It will also list out what kind of connection that is being used towards to FQDN (In this case below we are using TLS 1.2 against a Storefront server.

CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

Server certificate
—–BEGIN CERTIFICATE—–
MIIFHzCCBAegAwIBAgIQCT7QmpMfh8Xq7pY2PnSiSjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTUwODI3MDAwMDAwWhcN
MTYwODMxMTIwMDAwWjBnMQswCQYDVQQGEwJOTzERMA8GA1UECBMIQWtlcnNodXMx
FjAUBgNVBAcTDVNrZWRzbW9rb3JzZXQxFjAUBgNVBAoTDU1hcml1cyBTYW5kYnUx
FTATBgNVBAMMDCouY29tbWF4eC5ubzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMxHenWSyUtXpYakBSPOTZj98L6LZ8WPv7oFvCqcG0TxWN8KBYWABhcS
V0Z/KA8uWFf9hnSXVWBaI/CSX218Ccay4ulAGxavfPvW9M0f7tPn7sp19rBJsqz/
PMsPKXstQAdK4trF1Ag4mecqwQmMreSBJelSlhNtKHrMpXXkBm4cTyI2uCYFKFND
Gc9JpaqzJiyPn/3kGhZXR039q2lW4c0nMM5eZD3x9GpOEgMeZU1uabbVR8Pviflg
djfaZ7PW9tDV0UQd3HpG9sJaXsr99eCt8/0eQCqgRzxtCP2MS0vI/Wxtu9Vuoi7m
1T6H6VXuoaeW+cRMCVID0DUcdepXzxECAwEAAaOCAd8wggHbMB8GA1UdIwQYMBaA
FA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBRLJltFnloNz4pStHnGYHWk
CHGcGDAjBgNVHREEHDAaggwqLmNvbW1heHgubm+CCmNvbW1heHgubm8wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8E
ZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc0
LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1n
NC5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEE
cDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYB
BQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJT
ZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOC
AQEAHikELfi9t3NMI90pKbxcPnaHufJivbqwEAU4Vu2JjB8Lr3WPOj5oqSvFKC9e
XigAtZvK08NmxKlLRFHDNUNauHCOUh4rRDuzJEaI6INngsBULRPAKx8Ynk9E/epT
0lE0BLSpoXbvYb1HG+7ngeTnh3XsELI6NWo1G86FMHlzzDrnEaCX0DYzgxMHYfM5
P41ZCOLX/Zw46RPUTj/Up50jnqcbIVNsYt3En13c7vu0Chg2Wqb5iRnOEC5nQ8TS
DqfLsGCXq0JFVbz7t4amskNv9VSn2bDauTy0u6aSbfLknn8DYY/q+ruj0Nh+ELsA
y0Tmkrvh8IaD/OiFRq+osToQ2w==
—–END CERTIFICATE—–
subject=/C=NO/ST=
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

No client certificate CA names sent

SSL handshake has read 3034 bytes and written 479 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: EB46000017E1621AA1BB5491BDFD3EDB2C273F35E73DB2029651C5B00DEC62BC
    Session-ID-ctx:
    Master-Key: 65CA41A8B811869F0C005469E20578BB3C876AB7207AB5D2D42370B7779FD1EB                                 7F971DC3A0001EF9B54963D1D2B080BD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1448336973
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

What we can see here is that we have an error message at the tops stating that

 verify error:num=20:unable to get local issuer certificate

This error occurs if

  • The certificate chain for the certificate wasn’t provided by the other side or it doesn’t have one (it is self-signed).
  • The root certificate is not in the local database of trusted root certificates.
  • The local database of trusted root certificates was not given and thus not queried by OpenSSL.

In order to verify against a chain of certificates with a RootCA or Intermidiate with both, we can use the parameter –CAfile or –CAPath which we can specify behind the command to test a connection with a RootCA.

Now there are a bunch of different parameters that we can use with OpenSSL, for instance we can also test openSSL using different protocols such as -ssl3, -tls1, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2

Which allow us to test using SSL3 for instance. You can see the list of different options on the openSSL site here –> https://www.openssl.org/docs/manmaster/apps/s_client.html

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *