SSL Diagnostics

By Lex Li

This page shows you how to use SSL Diagnostics.

In this article:

Background

IIS 6 used to have a great suite of troubleshooting tools. One of them was for SSL related diagnostics, called SSL Diagnostics (SSL Diag or SSLDiag for short ) .

As SSLDiag was designed for IIS 6 and relied on IIS ADSI API (which is now obsolete), this tool was not made available for IIS 7 and above.

Of course you can use the IIS 6 version if you enable IIS 6 Compatibility component on IIS 7 and above, but it would be less convenient.

A Microsoft employee Vijayshinva Karnure developed a newer version that relied only on IIS 7+ new API, and released it on IIS.net .

It works for all IIS versions (up to 10), but it does not work for IIS Express.

Note

The previous tools were designed without SHA-2 and recent SSL/TLS best practices in mind. Their reports can simply miss recent warnings on obsolete SHA-1 certificates and obsolete protocols like SSL 3.0.

The Built-in SSL Diagnostics in Jexus Manager

For web servers opened in Jexus Manager, there is an action called SSL Diagnostics showed.

../_images/ssl_diag.png

A report is generated when “Generate Report” button is clicked.

../_images/ssl_report.png

Typical things analyzed by SSL Diagnostics,

  • SNI or IP based mappings in Windows HTTP API.
  • Certificate related,
    • Signature algorithm (SHA-1 is obsolete).
    • Validity check (expired or not).
    • Subject Alternative Name extension (should present as browsers require).
    • Private key availability.
    • Chain verification.

This SSL Diagnostics tool is updated often to include more checks on recent SSL /TLS best practices.