What is SSL/TLS Authentication and How to Enable It?
This guide explains how SSL/TLS authentication works, why it's vital for secure connections, and how to enable it on different platforms.
You'll also learn how to test SSL authentication with the tools openssl, curl, Python, and Node.js.
🧠 What is SSL Authentication?
SSL (Secure Sockets Layer) or in its modern form TLS (Transport Layer Security) authentication; It guarantees the identity, integrity and reliability of the communication between the client and the server.
When a browser or API client sends an HTTPS request, it initiates a multi-step checking process to see if the server is truly who it claims to be.
🔍 Verification Process Steps
| Step | Description |
|---|---|
| 1. Certificate Presentation | The server sends the SSL certificate to the client. |
| 2. CA Control | Verifies that the certificate has been signed by a recognized Certificate Authority (CA). |
| 3. Domain Match | The CN/SAN field in the certificate must match the domain being accessed. |
| 4. Certificate Chain Control | Leaf → Intermediate → Root CA chain must be complete. |
| 5. Duration and Cancellation Control | The certificate must not have expired or been revoked by the CA. |
🚫 If even one of these steps fails, the TLS handshake is interrupted and the browser issues warnings like ERR_CERT_COMMON_NAME_INVALID or SSL: CERTIFICATE_VERIFY_FAILED.
🔐 SSL Authentication vs SSL Encryption
| Feature | SSL Authentication | SSL Encryption |
|---|---|---|
| Purpose | Confirming the server's identity and preventing fraud | Protecting the confidentiality and integrity of data |
| When Will It Happen | At the beginning of the TLS handshake | After the connection is verified |
| Risk Prevented | Man in the Middle (MITM) attack | Data theft and eavesdropping |
| Conclusion | Authentication provided | Data is transmitted securely |
💡 The two work together. One cannot complete security without the other.
🔗 Certificate Chain (Chain of Trust)
SSL certificates create a chain in which trust is transferred from the root CA to the end user (Leaf Certificate).
| Layer | Quest | Example |
|---|---|---|
| Root CA | It is the foundation of trust, pre-installed in the operating system | DigiCert Global Root G2 |
| Search CA | Signs certificates, protects root CA | Let's Encrypt R3 |
| Leaf (Server) Certificate | It is the certificate installed on your site | www.example.com |
⚠️ If your server does not send intermediate certificates you will get a “Missing Chain Error” (verify return:20).
🧰 Command Line SSL Authentication Tests
1️⃣ openssl s_client
openssl s_client -connect ornek.com:443 -servername ornek.com -showcerts
This command shows the certificate chain of the server. verify return:1 → success, verify return:20 → intermediate certificate missing.
2️⃣ curl --verbose
curl https://ornek.com -v
Shows TLS handshake details during the connection process. If successful, the encryption protocol appears; if unsuccessful, the reason is stated.
3️⃣ Online Testing Tools
| Vehicle | Description |
|---|---|
| SSL Labs (ssllabs.com) | It grades your SSL configuration and lists weak protocols. |
| DigiCert SSL Checker | Detects intermediate certificate and installation errors. |
💻 SSL Authentication in Application Code
🐍 Python (requests)
import requests
resp = requests.get('https://api.ornek.com', timeout=10)
print(resp.status_code)
requests does validation by default. If there is an invalid certificate, it gives an error.
🟢 Node.js (axios)
const axios = require('axios');
const agent = new (require('https').Agent)({ rejectUnauthorized: true });
axios.get('https://api.ornek.com', { httpsAgent: agent })
.then(res => console.log(`Durum: ${res.status}`))
.catch(err => console.error(`Hata: ${err.message}`));
By setting rejectUnauthorized: true, SSL authentication becomes mandatory.
🧪 Self-Signed Certificates
Self-signed certificates should only be used on test or internal networks.
| Status | Safe Approach |
|---|---|
| Production Environment | Never use it, get a certificate from a trusted CA. |
| Test Environment | Add the certificate to the system trust store. |
| Management | Check period and cancellation status regularly. |
🧠 Best Practices for SSL Verification
| Application | Description |
|---|---|
| Use trusted CA | Get a certificate from Let's Encrypt or commercial CAs. |
| Offer full chain | Add the fullchain.pem file to the Nginx/Apache configuration. |
| Automatic renewal | Automate renewal with certbot renew --quiet. |
| Use TLS 1.2+ | Turn off older SSL 3.0/TLS 1.0 versions. |
| Add security headers | Add HTTP headers such as HSTS, CSP. |
🚫 Common Mistakes
| Error | Effect | Solution |
|---|---|---|
| Disabling verification | Makes it vulnerable to MITM attacks | Never use verify=False |
| Incorrect system time | Certificate appears invalid | Perform NTP synchronization |
| Missing Interim Certificate | CERTIFICATE_VERIFY_FAILED error | Full load chain |
| Domain name incompatibility | “Domain does not match” error | Fix CN/SAN values |
| Skip Revocation check | Revoked certificates appear valid | Enable OCSP stapling |
❓ Frequently Asked Questions (FAQ)
1. Why is SSL verification important?
It proves that the user is connecting to the correct server, preventing MITM attacks.
2. What is the difference between SSL authentication and encryption?
Authentication identity provides cryptographic confidentiality. Trust is not complete without one.
3. What causes SSL: CERTIFICATE_VERIFY_FAILED error?
The certificate may have expired, the chain is missing, or the domain name may be incorrect.
4. Is it safe to turn off validation in curl or Python?
No. It completely eliminates security. Fix the error instead.
5. What are the best testing tools?
openssl, curl -v, SSL Labs, DigiCert Checker.
##🏁 Conclusion SSL/TLS authentication not only encrypts data but also provides trust. Configuring your server's certificates correctly is important for both user security and SEO ranking.
🌩️ You can easily configure SSL verification on GenixNode and automatically renew your certificates.