How SilkPerformer handles SSL traffic
All applications that use SSL will involve the use of server certificates. A server certificate is a certificate that authenticates the identity of a site to visiting applications, usually browsers. When a client application wants to send confidential information to a server, the client application will access the server"s digital certificate. The certificate, which contains the server"s public key, will be used by the client application to:Since the server is the only one with access to its private key, only the server can decrypt the information. This is how the information remains confidential and tamper-proof while in transit across the Internet.
- authenticate the identity of the server (the Web site), and
- encrypt information for the server using Secure Sockets Layer (SSL) technology.
During recording of secure traffic (SSL) the recorder presents the Borland server certificate rather than the actual server certificate to the client, (usually a browser). In most cases this will cause a Security Alert dialog box to appear indicating that there is a problem with the site"s certificate. This is the expected behaviour and to continue the user should simply click Yes to the question "Do you want to proceed?" and continue recording.
However, there are a number of possible issues that you should be aware of when recording or replaying SSL traffic which we will examine in more detail below. If you would like assistance with any of the following then please contact our support team and an engineer will be happy to help you.
Are you presenting the correct level of encryption?
An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality.
- It is possible that your application cannot cope with the Automatic SSL version and Encryption Strength set by SilkPerformer by default and instead you will need to present the exact values that the site uses. Not doing so may result in a "Page Not Found" or other error page.
Click here for details on how to check the SSL Version and Encryption strength
- Check the level of encryption that SilkPerformer supports:- Level of encryption
Does your application require a Root CA certificate to be presented?
Each SSL-enabled client maintains a list of trusted CA certificates. This list determines which server certificates the client will accept.Normally you don"t have to install the root CA for secure recording. If don"t have it installed, the only effect is that the browser might complain that it does not know the issuer of the server certificate. This usually appears as a Security Alert warning in a dialog-box where you can proceed by simply acknowledging it. However, sometimes it may be necessary to send the root CA certificate.
- If it is important that the Security Alert does not appear when recording against the site you will need to How can I configure the recorder so that the "Security Alert" dialog box does not appear when recording against a secure Website (HTTPS)?along with the server certificate.
- If you continue to see the Security Alert after importing the Segue Root CA it is possible that the certificate you have imported has expired and you will need to Why might I see the "Security Alert" dialog box when recording against a secure site even though I have imported the Segue CA Root certificate?.
- If the following error occurs - Security: 1046 - sslv3 alert certificate unknown - it is possible that the server may insist that you After importing a Root CA Server Certificate into SilkPerformer why do I still see the error "Security: 1046 - sslv3 alert certificate unknown" in the record.log file?
Does your application use Client certificates?
A client certificate is used to authenticate a client when accessing the secure server. Many organizations now use client certificates to authenticate the user accessing the web server so that only those persons granted a client certificate by the company would be able to access the server
- How do I configure SilkPerformer to provide client certificate authentication during record and replay?
- Are you getting the following error message when using the IE Certificate Export Wizard:- Why I am unable to export a client certificate into the correct format when using the Export Wizard in Internet Explorer?
- Can SilkPerformer replay using different SSL client certificates for each virtual user?
- Do you to need to send the Root Certificate Authority (CA) along with the client certificate as part of the SSL handshake? Certain servers such as Netscape Enterprise Server require this; others such as IIS do not. If it is required you will see an error stating:- Why do I get the error "The page cannot be displayed" when recording SSL traffic when using a Client Certificate?.
The use of Server certificates
In some cases, for example a custom client application using SSL, it may not be possible to ignore the warning message caused by presenting the Borland server certificate, and continue recording. In this situation we must ensure that SilkPerformer presents the actual server certificate with the correct issuing domain instead of the default Borland certificate.
- How can I ensure that my own server certificate rather than the Borland certificate is presented to the client during recording of secure traffic?
- The error:- Why do I receive the the error "could not initialize SSL server context " when recording SSL traffic?also implies that you need to send the actual server certificate.
- If you are sending your own server certificate you will need to ensure that that it is presented in the correct format:-Conversion to .pem format
**NOTE**
If none of the above has helped resolve the issue then it is recommended that you contact Technical Support for further assistance.