**Approach — overview**1) Reproduce reliably on a small scope, collect artifacts, then triage by hypothesis (client cert mismatch, SNI routing, cipher/version, cert chain issues). Work iteratively and non-disruptively.**Artifacts to collect**- PCAPs at client, LB front-end, and back-end (tcpdump filter for TLS): bash
sudo tcpdump -i eth0 -w /tmp/tls.pcap port 443 and host <client_ip or lb_ip>
- openssl s_client outputs (with SNI, cert chain, and chosen cipher):bash
openssl s_client -connect lb.example.com:443 -servername lb.example.com -showcerts
- Full certificate chains (PEM), OCSP/CRL responses, and cert serials- Load balancer logs (access, error, TLS debug) with timestamps and connection IDs- Backend server TLS logs and application logs- Metrics/traces (latency, TLS handshake errors) from monitoring**Stepwise isolation**1) Correlate timestamps/connection IDs across artifacts to tie a failed handshake to a pcap and LB log entry.2) Client cert mismatch: - Check openssl s_client with client cert/key:bash
openssl s_client -connect lb:443 -cert client.pem -key client.key -CAfile ca.pem
- Inspect LB requiring client auth (mutual TLS) and verify CA bundle and subject DN allowed list.3) Incorrect SNI routing: - Test with different SNI values; confirm backend selection in LB logs.bash
openssl s_client -connect lb:443 -servername correct.example.com
openssl s_client -connect lb:443 -servername wrong.example.com
- Use pcap to verify SNI in ClientHello (if TLS1.3 or ESNI considerations).4) Cipher/version incompatibility: - Force specific TLS versions/ciphers:bash
openssl s_client -connect lb:443 -tls1_2 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'
- Compare ClientHello cipher list to server's accepted suite in LB/backend logs and wireshark.5) Expired/revoked/intermediate certs: - Inspect full chain from s_client -showcerts; check validity dates and issuer chain. - Query OCSP or CRL for revocation.bash
openssl ocsp -issuer issuer.pem -cert cert.pem -url http://ocsp.responder/
**Safe testing / repro without impacting all clients**- Use canary testing: route a small percentage to a debug LB pool or use traffic mirroring.- Test from isolated client VM that reproduces the client environment; use curl/openssl with identical SNI/certs.- Rate-limit and schedule tests during low-traffic windows; disable automated retries to avoid flood.- If possible, enable LB debug on a single listener or use feature flags to capture extra logging for only affected IPs.- When changing configs (certs/cipher lists), apply to a single backend or staging first, validate, then roll out with gradual traffic shift.**Outcome & remediation**- Once root cause identified, fix (update CA bundle, adjust SNI routing table, add supported ciphers, renew intermediates), validate via the same s_client/pcap tests, then monitor metrics for disappearance of handshake failures.