Troubleshooting Certificate and Certificate Chains
SSL Detective Tutorial: Introduction
The following examples demonstrate specific uses for SSL Detective in the examination of SSL certificates using an iOS device. SSL Detective can be used to troubleshoot SSL certificate problems for virtually any service, including (but not limited to) secure web servers, SMTP mail servers, VPN tunnels, and mobile device management (MDM) services.
It should be noted that the trust issues illustrated in the examples are not specific to the service used in the examples.
SSL Detective Tutorial: Example 1 – Hostname Error
Let’s examine an SSL certificate chain where the DNS name of the web server does not match the common name (or alternate dNS names) specified in the leaf certificate:
SSL Detective Tutorial: Example 1 – Chain Not Trusted
SSL Detective displays the certificate provided by the web server, indicating in red that the certificate is not trusted and why. The leaf certificate hostname does not match the web server’s DNS hostname.
SSL Detective Tutorial: Example 1 – Hostname Mismatch
The leaf certificate may indeed be legitimate and signed by a trusted root certificate authority, but fails due to the hostname mismatch.
SSL Detective Tutorial: Example 1 – Hostname Error
This problem could be resolved at the source by the certificate administrator adding the DNS name to to the Subject Alt Name extension in the leaf certificate (not present in this example).
SSL Detective Tutorial: Example 1 – Hostname Error
Since the hostname of the web server does not match the leaf certificate, what happens when SSL Detective connects to the server by IP address instead of host name and downloads the certificate?
Although one might assume that examining the certificate by IP address will bypass the host name mismatch issue entirely, the results show that this is not the case. Let’s use the IP address of the same web server to see the results:
SSL Detective Tutorial: Example 1 – Hostname Error
As we see here, using the IP address does not affect the result since the web server’s IP address does not (and should not) be present in the Subject Alt Name extension in the leaf certificate. The issue is not related to domain name resolution. As previously discussed, the host name to which the IP address resolves should be present to resolve the trust issue with the root certificate.
SSL Detective Tutorial: Example 1 – Hostname Error
Finally, let’s examine the certificate by actual leaf certificate host name:
SSL Detective Tutorial: Example 1 – Hostname Error
The SSL Detective query using the leaf certificate hostname results in a match with the certificate hostname and no trust issues are found.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
In this example, we will examine an untrusted root certificate found with a SMTP mail server.
It bears repeating that the problem in this example is not specific to secure SMTP servers, but used only to illustrate the variety of services that depend on trust relationships that can be affected by certificate errors. These errors are particularly difficult to identify without SSL Detective, as we will see. An IMAP email account is configured on iOS and will attempt to connect on SMTP Port 465 to verify the SSL connection.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
The connection attempt fails to connect to the port and requests that the standard non-SSL port be used instead. The error message does not explain the cause of the connection failure, only that it cannot use SSL. We will use SSL Detective to troubleshoot one possible cause.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
In SSL Detective, we will enter the SMTP server name and corresponding SSL port attempted in the IMAP email configuration.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
The connection problem is immediately identified to be caused by an untrusted root certificate at the SMTP server. The root certificate in this example is self-signed, not signed by a known trusted certificate authority; thus, it is deemed not trusted by the iOS device. The ideal solution is for the mail server’s certificate administrator to use a trusted certificate authority so the certificate chain will be trusted by the device. To verify that the untrusted certificate is the sole cause of the failed SMTP server connection setup, we will allow the device to trust the certificate by manually importing the certificate chain profile onto the device. Use the Email Certificates button in the lower left corner to attach the entire certificate chain to an email message. (Note: an alternate working email account must exist on the device for this to work.)
SSL Detective Tutorial: Example 2 – Untrusted root certificate
Each of the root certificate, intermediate certificate, and leaf that make up the certificate chain are attached to the email message and sent.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
Selecting the root certificate, 1-Certificate Barn CA.cer in this example, will import the certificate chain into a profile on the device.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
Prior to import, the certificate chain is still considered untrusted by the device.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
Once the profile is installed, the device considers the certificate chain to be trusted.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
We can verify this change using SSL Detective to once again retrieve the certificate chain for the SMTP server.
SSL Detective Tutorial: Example 2 – Untrusted root certificate
The certificate provided by the SMTP server now matches the trust profile manually installed on the iOS device, confirming that a trust relationship exists between the server and the device. Again, the mail server certificate administrator should register the certificate with a trusted certificate authority to avoid the issue. Now that we have eliminated the certificate as a source of email configuration connection failure, the connection will be successful or other issues unrelated to the certificate may be further investigated.
