Debugging self-signed https connection

Question

I'm trying to secure my web app with https. So I used the following command

openssl req \\
    -newkey rsa:2048 -nodes -keyout domain.key \\
    -x509 -days 365 -out domain.crt

to generate a certification/key pair and uploaded to the server. This is a cloud server form qingcloud and it's actually bound to the load balancer I have (I don't think it matters but just for information).

So I then did the following to test it:

curl --insecure https://my.domain.org

But it always times out.

This is a bit vendor specific so my question is:

What are the techniques to debug a https connection?

Answer 1

But it always times out.

Whatever times out exactly: If it already fails to establish the TCP connection there might be a firewall in between dropping the packet. This case has nothing to do with TLS since TLS is not even started. If it times out inside the TLS handshake an old F5 load balancer might be the problem.

What are the techniques to debug a https connection?

As long as it is related to the TCP connection setup (like in this case?) you can use the usual packet capturing (tcpdump, wireshark...) at the appropriate places (at the client, load balancer, server...) to see what's going on. And of course look into any kind of log files.

If the TCP connection itself is established you can start with debugging the TLS part of HTTPS. 99% of the problems there are related to the TLS handshake and apart from the excellent wireshark you can use several other tools. But more important is the knowledge of how TLS works and what can go wrong so you are able to interpret the data of the tools. You might have a look at my article about debugging SSL/TLS problems for more information, since it makes no sense to replicate everything here again.