Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

The Illustrated TLS 1.2 Connection -- Every byte explained

Daniel Nashed – 14 February 2024 12:16:08

While debugging a TLS connection issue, I ran into this website -->https://tls12.xargs.org/

It provides more details then most admins ever want to know. But it is a great resource understanding a TLS connection.
In my case I was looking for the first bytes when sending the server certificate in TLS 1.2 certificate handshake message --> https://tls12.xargs.org/#server-certificate/annotated

The certificate is just a ANS.1 DER encoding. But it is prefixed with a header -- which I was looking for.
This website saved me some time reading thru the RFCs and is a more than valuable resource understanding details and even provide information about command-lines to get further information.
If you really want to know about certificates this page also dives into the ASN.1 format -->
https://tls12.xargs.org/certificate.html#server-certificate-detail/annotated

Even if you just want to get a basic understanding, this page is really cool. And you can drill down to the last byte of the data going over the wire.

Domino has debug settings for all of this information to troubleshoot connection issues etc.
There are SSL debug level settings for different parts of the TLS connection and even lower level NTI (Notes network abstraction layer) to get all those bytes captured.
But also OpenSSL provides those details running with -debug.


Something to try is the start of a SMTP STARTTLS connection:

openssl s_client -connect mail.acme.com:25 -starttls smtp -crlf -debug

-- Daniel


Image:The Illustrated TLS 1.2 Connection -- Every byte explained



Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]