Q: Does Microsoft provide any tools for troubleshooting Secure Sockets Layer (SSL)/Transport Layer Security (TLS) setup and configuration problems on a Microsoft IIS Web server? If there are such tools, where can I find them?
A: A great tool for troubleshooting an IIS SSL/TLS setup is the Microsoft SSL Diagnostics tool. You can download version 1.1 of the SSL Diagnostics tool for x86 platforms from http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en. You can download IA64 and AMD64 platform versions of the tool from http://www.microsoft.com/downloads.
These SSLdiag.msi installation packages support two installation modes: typical and complete. The typical mode installs only the pertinent tools for administrators to use SSL Diagnostics. The complete install mode installs the same files plus the associated documentation. Included in the full installation, for example, is an SSL FAQ that can assist administrators in the learning of SSL.
The SSL Diagnostics tool can help IIS administrators in the following ways when troubleshooting SSL problems:
- SSLDiag provides a single GUI that displays all the relevant IIS SSL configuration information. Most of this information is spread across the IIS metabase and part of it isn't displayed in the Microsoft Management Console (MMC) Internet Services Manager (ISM) snap-in. The tool also displays useful reference information about the selected configuration setting (e.g., the “ServerCacheEntries” setting that Figure 1 shows) in the bottom part of the SSLDiag GUI.
- You can also run SSLDiag in silent “log” mode, which means that the tool won't display the SSL configuration information in the SSLDiag GUI but instead dumps it in a log file. The log file is called Ssldiag.log and is created on the local computer in the directory where the SSL Diagnostics executable (Ssldiag.exe) is installed.
- SSLDiag checks for the correct configuration of SSL objects and settings and informs the administrator if something is wrong. These objects and settings include SSL client and server certificates, SSL ports, and private keys.
- SSLDiag allows IIS administrators to easily test whether their current SSL server certificate is working properly. IIS administrators can temporarily replace their current SSL server certificate with a self-signed certificate from the SSLDiag GUI. Installing a self-signed certificate is as simple as right-clicking a Web site level (e.g., \[W3SVC/1\] in the example that Figure 1 shows) and selecting “Create New Cert.” When testing is complete, the administrator can restore the original certificate back into IIS.
- SSLDiag allows IIS administrators to simulate an SSL connection between their Web server and a browser. This is helpful for determining where in the SSL handshake process the SSL connection breaks down. To simulate an SSL handshake, right-click a Web site level and select “Simulate SSL Handshake” which will bring up the “SSL Diagnostics – Probe SSL” dialog box.
- You can also use SSLDiag to monitor the use of SSL client certificates in real time. To do so, you must use SSLDiag’s “client certificate monitor” feature. As SSL client certificate information is being parsed by the Web server, SSLDiag displays both the client certificates that are trying to connect to your Web site and the information contained in those certificates. SSLdiag displays both valid and invalid certificates, including the reasons for invalid certificates (expired, not yet valid, or revoked).