Troubleshooting Tools

2 min read SSL/TLS & Certificates

Troubleshooting Tools

Language-specific debugging:

# Python SSL debugging script
import socket
import ssl
import sys

def debug_ssl_connection(hostname, port=443):
    # Create SSL context with debugging
    context = ssl.create_default_context()
    
    # Get certificate info
    with socket.create_connection((hostname, port), timeout=10) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            print(f"SSL Version: {ssock.version()}")
            print(f"Cipher: {ssock.cipher()}")
            
            # Get peer certificate
            cert = ssock.getpeercert()
            print(f"\nCertificate Subject: {cert['subject']}")
            print(f"Issuer: {cert['issuer']}")
            print(f"Valid from: {cert['notBefore']}")
            print(f"Valid until: {cert['notAfter']}")
            
            # Check certificate chain
            cert_bin = ssock.getpeercert_bin()
            print(f"\nCertificate size: {len(cert_bin)} bytes")

debug_ssl_connection('api.example.com')

Cross-platform certificate inspection:

#!/bin/bash
# Certificate debugging script

DOMAIN="api.example.com"

echo "=== System Certificate Store ==="
# Linux
if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
    echo "Linux CA bundle: /etc/ssl/certs/ca-certificates.crt"
    echo "Certificates: $(grep -c 'BEGIN CERTIFICATE' /etc/ssl/certs/ca-certificates.crt)"
fi

# macOS
if [ -f /etc/ssl/cert.pem ]; then
    echo "macOS CA bundle: /etc/ssl/cert.pem"
    echo "Certificates: $(grep -c 'BEGIN CERTIFICATE' /etc/ssl/cert.pem)"
fi

echo -e "\n=== Testing Connection ==="
# Test with different TLS versions
for ver in 1.2 1.3; do
    echo -n "TLS $ver: "
    if openssl s_client -connect $DOMAIN:443 -tls${ver/./}_${ver#*.} </dev/null 2>/dev/null | grep -q "Verify return code: 0"; then
        echo "OK"
    else
        echo "FAILED"
    fi
done

echo -e "\n=== Certificate Chain ==="
openssl s_client -connect $DOMAIN:443 -showcerts </dev/null 2>/dev/null | grep -E "^(depth|verify|s:|i:)"

Library-specific tools:

  • Java: keytool for keystore management
  • .NET: HttpClient diagnostics and tracing
  • Ruby: OpenSSL debugging with verbose output
  • Go: GODEBUG=x509roots=1 for certificate debugging

Programmatic SSL/TLS errors require understanding of language-specific implementations and certificate handling. By maintaining updated certificate stores, implementing proper error handling, and thoroughly testing across environments, you can build reliable API integrations that handle SSL/TLS securely and robustly.