I covered 1 way SSL debug in – Debug SSL issue – part 1 (1 way SSL)
The only difference with 2 way SSL is additional step to verify the client certificate.
- In *** ServerHello, TLSv1.2, the server challenges client to provide its certificate as well, you see below at the end of the server hello
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=XXXXXXXXXXxXXXXX>
<OU=XXXXXXXXXXXXXXX>
<CN=XXXXXXXXXXXXXXXx>
- Basically server is asking client provide a certificate that signed by any of the certificate authority (CA) provided in the list. Server only trust these CAs.
- Client does look up in keystore \ identity store to find cert that match the list above. If it find one, it sends that cert to server.
- Server that validates the cert sent by client, if it find that cert or cert chain in trust store, it prints
matching alias: XXXXXX
*** Certificate chain
chain [0] = […………
- The next steps are similar to 1 way SSL.