03 Jan Datapower mutual authentication SSL/TLS debugger
When implementing mutual TLS 1.2 for some services on DataPower, we came to the conclusion that most developers have quite some issues with implementing it, more specifically using the wrong certificates and/or using the wrong version of SSL/TLS or cipher.
So as a solution I came up with a self service debugging tool for the developers. By sending a dummy request, developers can obtain information about the TLS connection. By sending some random content with a valid client cert (signed by the intermediate or root CA) on port 7777, the service returns the issuer and subject of their client certificate as well as the cipher. Based on that cipher it makes a guess at the SSL/TLS version they use and gives them an other port on which they can test again allowing only 1 version of TLS. So they can test the different ports (7775, 7776, 7778) and see whether or not they get a response allowing them to deduct what version of TLS they are using.
In the screenshot below you can see an example response on port the first port (supporting all versions of SSL/TLS).
I created this service using a multi protocol gateway with a custom xsl (ssltestservice).Which you can see below
Author:
Tom V.O.
Below you can find the required files to recreate this service, feel free to reuse this or modify it them to your needs
Here you can find an export of the multi protocol gateway and all the relevant objects
mpg ssltest export.zip
the required certs and keys for the DataPower
datapower-certs.zip
Th archive with the clients certs in various formats
datapower-clientcerts.zip
No Comments