SSL Diagnostics for IIS/IIS Express¶
By Lex Li
This page shows you how to use SSL Diagnostics.
There were either official or unofficial tools from Microsoft called SSL Diagnostics.
IIS 6 used to have a great suite of troubleshooting tools. One of them was for SSL related diagnostics, called SSL Diagnostics (SSL Diag or SSLDiag for short) . As it was designed for IIS 6 and relies on IIS ADSI API (which is obsolete), this tool was not made available for IIS 7 and above.
Of course you can use the IIS 6 version if you enable IIS 6 Compatibility component on IIS 7 and above, but it would be less convenient.
Later, a Microsoft employee Vijayshinva Karnure developed a newer version that relied only on IIS 7+ new API, and released it on IIS.net . It works for all IIS versions (up to 10), but it does not work for IIS Express.
The previous tools were designed without SHA-2 and recent SSL/TLS best practices in mind. Their reports can simply miss recent warnings on obsolete SHA-1 certificates and obsolete protocols like SSL 3.0.
So what if you want a modern tool to troubleshoot SSL/TLS issues on IIS and especially IIS Express? Jexus Manager fills the gaps.
For web servers opened in Jexus Manager, there is an action called SSL Diagnostics showed.
A report is generated when “Generate Report” button is clicked.
Typical things analyzed by SSL Diagnostics,
- SNI or IP based mappings in Windows HTTP API.
- Certificate related,
- Signature algorithm (SHA-1 is obsolete).
- Validity check (expired or not).
- Subject Alternative Name extension (should present as browsers require).
- Private key availability.
- Chain verification.
This SSL Diagnostics tool is updated often to include more checks on recent SSL /TLS best practices.