Skip to content

Instantly share code, notes, and snippets.

@futzlarson

futzlarson/ssl-investigation.md

Created March 19, 2026 13:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save futzlarson/1576835bfd8fa804e66515af1e4c9561 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save futzlarson/1576835bfd8fa804e66515af1e4c9561 to your computer and use it in GitHub Desktop.
Download ZIP
SSL ERR_SSL_PROTOCOL_ERROR Investigation - curiticspulse.com
Raw
ssl-investigation.md

SSL Investigation: ERR_SSL_PROTOCOL_ERROR

Domains: cm.curiticspulse.com (production) · cm-uat.curiticspulse.com (UAT) Date: 2026-03-19

What Was Reported

  • An employee on cm-uat.curiticspulse.com and a client on cm.curiticspulse.com both seeing ERR_SSL_PROTOCOL_ERROR in Chrome on Windows
  • Works fine for the developer (macOS)

What Was Checked

Check Result
SSL certificate validity ✅ Valid — issued Mar 16 2026, expires Sep 29 2026
Certificate issuer Amazon RSA 2048 M04 (renewed Mar 16)
Certificate SANs curiticspulse.com, *.curiticspulse.com
Full chain served ✅ Yes — leaf + intermediate + root all sent by server
TLS 1.2 ✅ Works (ECDHE-RSA-AES128-GCM-SHA256)
TLS 1.3 ✅ Works (TLS_AES_128_GCM_SHA256)
TLS 1.1 ❌ Not supported (server negotiates up)
Port 80 (HTTP) ❌ Closed — connection refused, no redirect
DNS resolution ✅ Resolves to multiple API Gateway IPs (expected)

Conclusion

The server is correctly configured. This is not a server-side problem.

Root Cause (Most Likely)

The SSL certificate was renewed on March 16, switching to the Amazon RSA 2048 M04 intermediate CA. This is almost certainly a client-side or network-side trust issue:

  1. Corporate proxy / SSL inspection (most likely for the employee) — Tools like Zscaler or Cisco Umbrella do transparent HTTPS interception. If the proxy's trust store doesn't recognize the new intermediate CA, it breaks the handshake and returns a garbled response rather than a proper error page — exactly what ERR_SSL_PROTOCOL_ERROR looks like.

  2. Device trust store out of date — Windows machines without recent Windows Updates may be missing the Amazon RSA 2048 M04 intermediate CA. macOS handles root store updates more transparently, explaining why it works for the developer.

How to Isolate

Ask both affected users to try from their phone on mobile data (bypasses corporate network entirely):

  • ✅ Works on mobile → network proxy is the culprit → IT team needs to update proxy trust store
  • ❌ Still fails on mobile → device trust store issue → run Windows Update

Fix

Scenario Fix
Corporate proxy IT team updates the proxy's trusted CA list
Outdated Windows trust store Run Windows Update on the affected machine
Quick test certutil -generateSSTFromWU roots.sst on the affected Windows machine

No changes required on the server or in the application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment