Alert When SSL Handshake Degrades

Your website or API might be "up" in the simplest sense – the server is responding to pings, and port 443 is open. But what if the SSL/TLS handshake, the critical initial negotiation that establishes a secure connection, is failing intermittently or taking an unacceptably long time? This "degradation" often goes unnoticed by basic uptime checks, yet it can be as detrimental to user experience and system reliability as a full outage.

As engineers, we tend to focus on binary states: up or down. But the real world is nuanced. An SSL handshake that's struggling is a prime example of a non-binary failure state that demands attention.

What Does "SSL Handshake Degradation" Even Mean?

Before data can flow securely over HTTPS, your client (browser, curl, Tickr probe) and the server must perform an SSL/TLS handshake. This involves a series of steps:

1. Client Hello: Client sends supported TLS versions, cipher suites, compression methods, and a random number.
2. Server Hello: Server responds with its chosen TLS version, cipher suite, compression method, a random number, and its public key certificate.
3. Certificate Exchange: Client validates the server's certificate (trust chain, expiry, revocation status).
4. Key Exchange: Client and server exchange cryptographic parameters to generate a shared secret key.
5. Change Cipher Spec: Both parties agree to switch to encrypted communication.
6. Finished: Client and server send encrypted "finished" messages to verify the handshake.

"Degradation" in this context refers to situations where this handshake process is not completely failing (resulting in a hard connection error) but is instead:

• Excessively Slow: The handshake takes an unusually long time to complete, delaying content delivery.
• Intermittently Failing: Some connections succeed, others fail with specific TLS errors, making the issue difficult to reproduce and debug.
• Producing Specific Errors: Not a generic connection refused, but errors like SSL_ERROR_SYSCALL, certificate_unknown, protocol_version, or handshake_failure.

This isn't just about your SSL certificate expiring (a critical but distinct issue); it's about the process of establishing that secure channel itself.

Why You Need to Monitor Beyond "Is It Up?"

Ignoring SSL handshake degradation can lead to a cascade of problems:

• Poor User Experience: Slow loading times frustrate users, leading to higher bounce rates. Intermittent failures mean some users can't access your service at all, even if others can. This is death by a thousand cuts for perceived reliability.
• SEO Penalties: Search engines, particularly Google, prioritize fast-loading and secure websites. Slow handshakes contribute to overall page load time, potentially impacting your search rankings.
• Lost Revenue: For e-commerce sites or SaaS applications, slow or failing handshakes directly translate to abandoned carts, failed API calls, and ultimately, lost revenue.
• Security Vulnerabilities: Degradation can sometimes be a symptom of misconfigurations (e.g., weak cipher suites, outdated TLS versions) that could make your service vulnerable to certain attacks, even if it appears "up."
• Operational Blind Spots: These issues are notoriously hard to debug. Without proactive monitoring, you're relying on user reports, which are often vague ("your site is slow") and reactive.

Manual Detection: The Hard Way

Before we dive into automated monitoring, let's consider how you might manually diagnose a struggling SSL handshake. This is often the first step in a reactive incident response.

The curl command with the verbose flag (-v) is an indispensable tool for seeing the TLS handshake in action. You can also add format strings to get specific timing metrics.

Example 1: Using curl for detailed handshake timings

curl -v -o /dev/null -s -w "%{time_starttransfer}\t%{time_connect}\t%{time_appconnect}\t%{time_pretransfer}\t%{time_total}\n" https://www.example.com/

Let's break down the output and what to look for:

• -v: Verbose output, showing the full request and response headers, including TLS negotiation details.
• -o /dev/null: Discard the response body.
• -s: Silent, don't show progress meter or error messages.
• -w "%{time_starttransfer}\t%{time_connect}\t%{time_appconnect}\t%{time_pretransfer}\t%{time_total}\n": Custom output format for timings.

A typical output for a healthy connection might look something like this (verbose part omitted for brevity, focusing on timings):

``` * Trying 93.184.216.34:443... * Connected to www.example.com (93.184.216.34) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN: h2 * Server certificate: * subject: C=US; ST=California; L=Los Angeles; O=Internet Corporation for Assigned Names and Numbers; CN=www.example.org * start date: Oct 26 00:00:00 2023 GMT * expire date: Oct 25 23:59:59 2024 GMT * subjectAltName: host "www.example.org" matched "www.example.org" * issuer: C=US; O=Internet Security Research Group; CN=R3 * SSL certificate verify ok.

GET / HTTP/2 Host: www.example.com User-Agent: curl/8.5.0 Accept: /

< HTTP/2 200 < age: 604751 < cache-control: max-age=604800 < content-type: text/html; charset=UTF-8 < date: Wed, 24 Jan 2024 10:00:00 GMT < etag: "3147526947+ident" < expires: Wed, 31 Jan 2024 10:00:00 GMT < last-modified: Thu, 17 Oct 2019 07:18:26 GMT < server: ECS (oxr/830D) < x-cache: HIT < content-length: 1256 < { [1256 bytes data] 0.200923 0