Overview
SSL is an protocol used to encrypt private information sent across the internet. An SSL Certificate is a small file that contains private information used to authenticate a host attempting to establish an SSL connection. The following steps outline the SSL Connection process between Client (Browser) and Server.
1. Client Hello
The client sends the information that will be required by the server to start an HTTPS connection.
2. Server Hello
The server responds back with the configuration it selected from the Client Hello, along with its information to proceed with the handshake.
3. Server Key Exchange Message
This message is sent by the server to the client carrying the required details for the client to generate the pre-master secret.
4. Certificate Request
This and the following step only apply to two-way SSL. In one-way SSL, the authenticity of the client is not being validated. Hence, these steps are omitted in a one-way SSL handshake. During this step, the server sends a certificate request to the client, specifying the certificate type, certificate signature algorithms, and certificate authorities supported by the server.
5. Client Certificate
The client presents its certificate chain to the server. The certificate needs to be appropriate for the negotiated cipher suite’s key exchange algorithm, and any negotiated extensions.
6. Client Key Exchange Message
This message needs to be sent by the client following the Client Certificate message. If the client certificate is not being presented (in one-way SSL), the client key exchange message should be sent after the client receives the ServerHelloDone message.
7. Finished
After successful authentication and generating the pre-master secrets/master secrets, a change cipher spec message will be sent by both client and server indicating that the rest of the communication will be encrypted.
In order for a browser to trust an SSL Certificate, and establish an SSL/TLS session without security warnings, the SSL Certificate must contain the domain name of a website using it, be issued by a trusted Certificate Authority (CA), and not have expired.
A certificate is associated with a public key with the identity of a server known as the subject. The subject includes identifying information (the distinguished name) and the public key. It also includes the identification and signature of the certificate authority that issued the certificate and the period of time during which the certificate is valid.
The distinguished name includes Common Name i.e. Name being Certified, Organization associated with it, City, State, and Country.
What does "Ignore SSL Errors" do?
When we select SSL Errors Ignored from the Advanced Settings under a test's properties, the following SSL errors are ignored.
1. Certificate Common Name Invalid
Indicates the domain does not match the common name in the SSL certificate. This usually occurs when we do DNS override, as the override domain does not match the common name of the SSL Certificate, since the server is looking for the common name in the test URL.
For more information, please refer to this article:
https://docs.catchpoint.com/docs/Unexpected-SSL-Errors-
2. Certificate Date Invalid
The security certificate presented by this website has expired or is not yet valid. The reason for this could be an incorrect date at the client system or incorrect date defined at the server while creating the certificate.
3. Certificate the wrong usage
Indicates the site is using self-signed certificates.
4. Unknown Certificate Authority
Browsers are made with a built-in list of trusted certificate providers (like DigiCert, Globalsign, etc.) For some sites, the certificate provider is not on that list. If this is the case, the browser will warn you that the Certificate Authority (CA) who issued the certificate is unknown / not trusted.
In Chrome, under Settings > Manage Certificates you can see the list of trusted certificates.
Supported Monitors
The Ignore SSL feature is available for these test types: Web (all monitors), Transaction (all monitors), HTML (all monitors), and API.