troubleshooting Question

How do signed SSL / HTTPS certificates and certificate authorities work?

Avatar of c-h-r-i-s-t-o-p-h
c-h-r-i-s-t-o-p-hFlag for United States of America asked on
SSL / HTTPSEncryptionRouters
3 Comments1 Solution482 ViewsLast Modified:
My questions are at the bottom of this post, but first the I'll try to explain the situation.


I am troubleshooting an issue for a user that I have isolated to encryption negotiation.

When attempting to load a website, the site intermittently hangs during initial load for approximately 30 seconds.

I ran wireshark while accessing the website.


During attempts that failed, each of the "Client Hello" messages during the encryption handshake were using SSL. The client send a few tcp keep-alive messages. Then traffic halts for approximately 30 seconds. Then, the client reattempts encryption handshake using SSLv2 "Client Hello" and the server responds with SSLv3 "Server Hello" as expected.

During attempts that behave normally / do no fail, the initial encryption handshake appears to be handled using TLSv1.0.



And now for the questions...

What is involved in SSL / HTTPS negotiation?

How does a signed certificate get verified? (i.e. a certificate from thawte)

How do CA bundles / certificate authorities come in to play?

If a web server that is using a https / ssl cert is installed and TCP port 443 is allowed between the web server and the end user, are there ANY other ports that would need to be open? (i.e. for certificate authorities, certificate verification, etc)

Based on the symptoms / troubleshooting that I described, can any other suggestions or conclusions be made?
ASKER CERTIFIED SOLUTION
CERTExpert

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros