TLS Authentication Messages

TL;DR

This guide explains how to understand authentication messages within a TLS (Transport Layer Security) connection. We’ll cover checking certificates, verifying trust chains, and identifying common errors.

Understanding TLS Authentication

When you connect to a secure website (HTTPS), your browser and the server perform a ‘handshake’. Part of this handshake involves authentication – proving that the server is who it claims to be. This relies on digital certificates.

1. Checking the Server Certificate

1. View the Certificate: Most browsers allow you to view the certificate presented by a website. Look for an icon (usually a padlock) in your browser’s address bar, click it, and find options like ‘Connection is secure’, ‘Certificate’, or similar.
2. Basic Information: The certificate will show details like:
   • Issued To: The domain name the certificate is valid for (e.g., www.example.com). Make sure this matches the website you’re visiting.
   • Issued By: The Certificate Authority (CA) that issued the certificate (e.g., Let’s Encrypt, DigiCert).
   • Validity Period: The dates between which the certificate is trusted. Certificates expire!

2. Verifying the Trust Chain

Certificates aren’t issued directly by your browser. They are signed by Certificate Authorities (CAs). Your browser has a list of trusted CAs. To verify a certificate, your browser checks if it was signed by a CA it trusts.

1. Root Certificates: The top-level CAs are called ‘root’ certificates. These are pre-installed in your operating system and browser.
2. Intermediate Certificates: Often, the server certificate isn’t directly signed by a root CA. Instead, it’s signed by an ‘intermediate’ certificate which *is* signed by a root CA. This creates a ‘chain of trust’.
3. Chain Validation: Your browser builds this chain from the server certificate to the trusted root CA. If any link in the chain is missing or invalid, you’ll get an error.

3. Identifying Common Errors

Here are some common TLS authentication errors and what they mean:

• NET::ERR_CERT_AUTHORITY_INVALID: This means your browser doesn’t trust the CA that issued the certificate. This can happen if:
  • The CA is not in your trusted root store (rare).
  • The certificate is self-signed (not recommended for public websites).
  • An intermediate certificate is missing.
• SEC_ERROR_UNKNOWN_ISSUER: Similar to NET::ERR_CERT_AUTHORITY_INVALID – the issuer isn’t trusted.
• SSL_ERROR_BAD_CERT_DOMAIN: The domain name in the certificate doesn’t match the website you’re visiting. This could indicate a misconfiguration or a phishing attempt.
• Certificate Expired: The certificate is no longer valid.

4. Using OpenSSL to Inspect Certificates (Advanced)

For more detailed inspection, you can use the command-line tool openssl.

1. Check Certificate Details: Use this command to view a certificate:

   openssl x509 -in certificate.pem -text -noout

   Replace ‘certificate.pem’ with the actual filename of the certificate.

2. Verify Chain Validation: You can verify the chain using this command (requires access to the CA bundle):

   openssl verify -CAfile ca_bundle.pem certificate.pem

   Replace ‘ca_bundle.pem’ with a file containing trusted root and intermediate certificates.

5. Troubleshooting

• Update your browser: Ensure you have the latest version of your browser, as updates often include updated root certificate lists.
• Check system date/time: An incorrect date or time can cause certificate validation to fail.
• Clear browser cache: Sometimes outdated cached information can interfere with TLS authentication.