Be a Wizard of SSL

2Apr/090

SSL Tricks and Tips

Many of the developers I've worked with treat SSL as if it's the carrier of a new and virulent plague or the product of evil magic. They duck and run for cover whenever the boss shows up looking for someone to battle a new error. Having not ducked fast enough, I've found myself face-to-face with SSL on many occasions, and have survived to overcome the intimidation factor and tell you that solving most SSL problems is a snap and anyone can learn to do it. By becoming the SSL go-to person in your IT department, you'll win fame and recognition as the great defender against evil magic. I reveal below these mysterious secrets of common SSL problems and some simple tricks and tips for solving them.

Expired Certificate

Probably the most common problem is that the certificate can expire. When the certificate expires, the site breaks. You can view the certificate in your browser to see the expiration date when you try to load a page that is using an expired certificate. This is usually accomplished by right clicking on something, and differs by browser, so I'll leave you to learn how to view the certificate in your preferred browser.

Solution: Purchase a new certificate and follow the instructions to install it.

If you already did purchase and install a new certificate and you're still having problems, then it's likely a configuration issue, so check the "Certificate Configuration" section below.

Hostname Doesn't Match

Browsers and SSL-enabled programs don't like when the hostname in the certificate doesn't match the hostname of the URL that's being used to access the content, and they complain about it. In a browser you'll see a pop-up window warning you of imminent danger. In a program you wrote, it will show up in an error console or log file. In Java, you can see a nice exception stack trace telling you of the hostname mismatch.

The problem here could be configuration or usage, so I'll give a list of things to check:

Check that the hostname of the certificate you installed does indeed match the hostname of your server. Certificates aren't perfect and can sometimes come with the wrong hostname, or it's possible there was an error in ordering the certificate.
Did the hostname get changed recently?
Is the IP address being used in the URL rather than the hostname that matches the certificate?

Certificate Configuration

If a new certificate was recently installed, check for these common mistakes:

Certificate not installed where your server expects to find it. Check the server configuration files to learn where it expects the certificate.
Similarly, check that the certificate file has the name the server is expecting.
Incorrect certificate format. When a certificate is ordered, it's ordered to be the format expected by the particular server and operating system. Make sure that the certificate order was for the correct type of certificate. If it was incorrect, it may be possible to convert it at the Certificate Authority.

You'd be surprised how often simple errors regarding file path, file name and certificate format occur.

Certificate Chain, Testing With Self-Signed Certificate

Developers often want to test with SSL and so they generate a self-signed certificate to test with, but then are mystified when it doesn't work. Two problems with this scenario are first, the above issue of the hostname not matching the hostname for the self-signed certificate, and second, the certificate chain is not determined to be valid by the browser or program accessing it.

The hostname mismatch is easily solved by making sure to generate a certificate that matches your development server.

The certificate chain problem arises because indeed, the certificate you generated is not considered valid because the root cannot be traced back to a valid Certificate Authority. You can work around this by granting trust to the certificate:

Import the self-signed certificate into your browser.
Import the self-signed certificate into your truststore, this is simple to do in Java.

Certificate Chain, Untrusted Root Certificate

I've seen cases where a certificate was showing up as untrusted when we knew it was a new certificate that we spent good money on and it should be trusted. This usually turns out to be a certificate format issue, so see the section on "Certificate Configuration".

SSL and Load Balancers - Sessions

SSL gets along great with load balancers, but if you're having issues with application sessions being killed or users unexpectedly logged off, you'll need to look for a load balancer configuration to maintain SSL sessions.

SSL and Load Balancers - Spotty Off and On Errors

If you're seeing problems with SSL and some load balanced servers, but it isn't consistent, then the most likely culprit is that one or more of your servers behind that load balancer has one of the above errors, such as expired or mis-configured certificate. You'll have to check all of your servers to find which ones are not working correctly, and hopefully you have monitors on all of them so that will be easy to do.

Also remember to check ACLs, I've seen cases where new servers were added to a load balancer configuration, and the SSL was working perfectly on those servers, but the IT people forgot to register those servers in the ACL (on either end of the transaction).