Common Problems
You now understand how TLS is supposed to work. This chapter is the troubleshooting and threat catalogue: the certificate errors you'll actually hit, the attacks TLS defends against (and how), and the failure modes that still bite well-meaning admins. Each one connects back to a guarantee or mechanism from earlier chapters.
Certificate Errors — What the Browser Is Really Telling You
Most "your connection is not private" warnings come from one of a few failed checks — all from Chapters 4–5. Knowing which check failed tells you exactly what to fix:
| Error | Failed check | Usual cause / fix |
|---|---|---|
| CERT_DATE_INVALID | validity window (Ch. 4) | cert expired — renew it (auto-renewal, Ch. 9) |
| COMMON_NAME_INVALID | SAN ≠ hostname (Ch. 4) | cert doesn't list the domain visited — reissue with correct SAN |
| AUTHORITY_INVALID | chain to trusted root (Ch. 5) | self-signed, or missing intermediate — install full chain |
| unable to get local issuer | incomplete chain (Ch. 5) | server sent leaf only — use fullchain.pem (Ch. 10) |
Mixed Content — HTTPS Page, HTTP Resources
A page served over HTTPS that pulls in sub-resources over plain HTTP is mixed content. It quietly defeats the page's security: those HTTP requests are unencrypted and tamperable, so the "secure" page isn't actually secure end-to-end.
Browsers split this into two severities: active mixed content (scripts, stylesheets, iframes — things that can alter the page) is blocked outright, while passive mixed content (images, media) triggers a downgraded padlock warning. The fix is to load every resource over HTTPS (use https:// or protocol-relative URLs), and a Content-Security-Policy: upgrade-insecure-requests header can auto-rewrite stragglers.
SSL Stripping & Downgrade Attacks
Two related man-in-the-middle attacks, both already half-covered in earlier chapters — here's how they're defeated:
- SSL stripping — the attacker intercepts the victim's initial plaintext request and keeps them on HTTP, proxying to the real HTTPS site so the user never sees a warning. Defeated by HSTS (Chapter 10): the browser refuses HTTP for the domain, so there's no plaintext request to strip. Preload closes even the first-visit gap.
- Protocol/cipher downgrade — the attacker tampers with the cleartext ClientHello to force a weak protocol or cipher. Defeated by the Finished hash (Chapter 6), which covers the whole transcript, plus TLS 1.3 simply removing the weak options to downgrade to (Chapter 7).
Implementation Bugs: Heartbleed and Friends
The protocol can be sound while the code implementing it is flawed. The famous example is Heartbleed (2014): a buffer over-read bug in OpenSSL's TLS heartbeat extension let an attacker read up to 64 KB of server memory per request — potentially leaking private keys, session cookies, and passwords, with no trace in logs.
Revocation: Cancelling a Certificate Before It Expires
When a key is compromised (as in Heartbleed) or a cert is mis-issued, you need to invalidate it before its natural expiry. That's revocation, and it has historically been the weakest link in the PKI:
| Mechanism | How it works | Weakness |
|---|---|---|
| CRL | CA publishes a big list of revoked serial numbers | large, slow to download, cached stale |
| OCSP | browser asks the CA about one cert in real time | slow, privacy-leaking, often "soft-fail" |
| OCSP stapling | server staples a fresh CA-signed status (Ch. 10) | needs server support |
Certificate Pinning — Powerful and Dangerous
Pinning hard-codes which specific certificate or public key an app expects, so even a validly-issued cert from a different (possibly fraudulent) CA is rejected. It defends against the Chapter 5 risk of a misbehaving CA. But it's a sharp tool:
Hands-On Exercises
Use badssl.com (or openssl against it) to trigger several deliberate certificate errors — expired, wrong-host, self-signed, untrusted-root. For each, name the exact check that failed and which chapter's concept it maps to.
📄 View solutionFor each attack — (a) SSL stripping, (b) protocol downgrade, (c) passive eavesdropping, (d) a stolen server key used to decrypt old recorded traffic — name the specific TLS mechanism that defends against it and the chapter that introduced that defence.
📄 View solutionA server running a vulnerable OpenSSL version is found to be exposed to Heartbleed. Write the full remediation checklist in the correct order, and explain why simply patching OpenSSL is insufficient. Then explain why short-lived certificates reduce reliance on revocation.
📄 View solutionChapter 11 Quick Reference
- Cert errors map to failed checks: DATE→validity, COMMON_NAME→SAN, AUTHORITY/local-issuer→chain (Ch. 4–5)
- Mixed content — HTTP sub-resources on an HTTPS page; active (scripts) blocked, passive (images) warned; load all over HTTPS
- SSL stripping → defeated by HSTS (Ch. 10); downgrade → defeated by the Finished hash + TLS 1.3 removing weak options
- Heartbleed — an implementation bug (OpenSSL) leaking memory incl. private keys; protocol-sound ≠ code-safe
- Key compromise = patch → new key → reissue → revoke old → reset credentials; patching alone is not enough
- Revocation: CRL / OCSP / OCSP stapling — but checks often soft-fail, so short-lived certs are the real mitigation
- Pinning defends against rogue CAs but can brick your site; browser HPKP was removed — survives mainly in mobile apps
- Every attack maps to a defence already learned — TLS is layered, each mechanism neutralizing one attack class
- Next chapter: beyond the basics — mTLS, Certificate Transparency, and the modern PKI ecosystem