Diagnosing SSL errors

Sometimes, SSL secured web pages return an error like:

“parts of the page you are viewing were not encrpypted or the encryption is not strong enough before being transmitted over the Internet.”

Although the certificate is valid, it is unable to encrypt some content. This is different from a certificate mismatch, or an invalid certificate which renders https services null. In this case, the certificate is valid, there is no mismatch, but the certificate cannot guarantee that all content is encrypted in transit. The problem usually has to do with external content. For instance If you link to resources at an external site using https://, and then the external site does its own HTTP redirect to non-SSL pages, that will break the SSL lock on your page. This results in an advisory that looks like this when you click on a padlock which has a warning sign included:

ssl certificate advisory

Firebug’s “Net” tab is a useful tool to isolate show this and other problems. Follow these steps to diagnose SSL problems:

  • Install Firebug add-on (Chrome, Firefox) if you don’t already have it, and restart your browser when prompted.
  • Open Firebug.
  • In firebug, choose the “Net” tab. Hit “Enable” (text link) to turn it on.
  • Refresh your problem page without using the cache by hitting Ctrl-Shift-R (or Command-shift-R in OSX). You will see the “Net” tab in firefox fill up with a list of each HTTP request made.
  • Once the page is loaded, hover your mouse over the left colum of each HTTP request shown in the net tab. A tooltip will appear showing you the actual link used. Look for requests that are http:// instead of https://.
  • If any of your links resulted in an HTTP redirect, you will see “301 Moved Permanently” in the HTTP status column, and another HTTP request will be just below for the new location. If the problem was due to an external redirect, that is where the evidence will be – the new location’s request will be HTTP.
  • If your problem is due to redirections from an external site, you will see “301 Moved permanently” status codes for the requests that point them to their new location.
  • Expand any of those 301 relocations with the plus sign at the left, and review the response headers to see what is going on. The “Location:” header will tell you the new location the external server is requesting browsers to use.
  • Note the info in the redirect, then send a polite email to the external site in question and ask them to remove the https:// -> http:// redirects for you. Explain how it is breaking the SSL certification on your site, and ideally include a link to the page that is broken so that they can see the error.

Below is sample output from Firebug for the the external redirect issue. In this case a page calling https:// data feeds was getting the feeds rewritten by the external server to http://.

This sample site is called “mysite.example.com” and the external site to “external.example.com”, but otherwise left the headers intact. The request headers are shown at the bottom, below the response headers. Note that mysite.example.com is requesting an https:// link, but getting redirected to an http:// link, which is what was breaking the SSL lock:

ssl error image