SSL/Proxy Connectivity Troubleshooting

This skill provides a structured workflow for diagnosing and resolving network connectivity issues when accessing government websites, corporate portals, or other restricted domains that commonly exhibit SSL certificate problems, proxy requirements, or access restrictions.

When to Use

Apply this skill when:

• HTTP requests fail with SSL/TLS certificate errors
• Connections timeout or are refused through corporate/government networks
• Proxy settings may be interfering with connectivity
• Primary data sources are inaccessible and alternatives are needed

Diagnostic Workflow

Step 1: Initial Connectivity Assessment

Test basic connectivity before attempting complex solutions:

# Test DNS resolution
nslookup target-domain.gov
dig target-domain.gov

# Test basic TCP connectivity
timeout 5 bash -c 'cat < /dev/null > /dev/tcp/target-domain.gov/443' && echo "Port 443 open" || echo "Port 443 closed"

# Test with curl (verbose)
curl -v https://target-domain.gov 2>&1 | head -50

Step 2: SSL Certificate Investigation

If SSL errors occur, diagnose the certificate issue:

# Check certificate details
openssl s_client -connect target-domain.gov:443 -servername target-domain.gov 2>/dev/null | openssl x509 -noout -dates -subject -issuer

# Test with different SSL versions
curl --tlsv1.2 -v https://target-domain.gov
curl --tlsv1.3 -v https://target-domain.gov

# Try disabling verification (testing only)
curl -k https://target-domain.gov

Step 3: Proxy Configuration Testing

Test various proxy configurations:

# Try without proxy
curl --noproxy "*" https://target-domain.gov

# Try with system proxy
curl -x http://proxy.example.com:8080 https://target-domain.gov

# Try explicit no-proxy for .gov domains
export no_proxy=".gov,.mil,.edu"
curl https://target-domain.gov

# Test with different proxy protocols
curl -x http://proxy:8080 https://target-domain.gov
curl -x https://proxy:8080 https://target-domain.gov
curl -x socks5://proxy:1080 https://target-domain.gov

Step 4: Protocol and Port Variations

Test alternative access methods:

# Try HTTP instead of HTTPS
curl http://target-domain.gov

# Try alternative ports
curl https://target-domain.gov:8443
curl https://target-domain.gov:4443

# Try www subdomain variation
curl https://www.target-domain.gov

# Try alternative domain extensions
curl https://target-domain.state.il.us

Step 5: User-Agent and Header Manipulation

Some sites block automated access:

# Use browser user-agent
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" https://target-domain.gov

# Add common headers
curl -H "Accept: text/html" -H "Accept-Language: en-US" https://target-domain.gov

# Include referer header
curl -e "https://www.google.com/" https://target-domain.gov

Step 6: Python Requests Alternative

If curl fails, try Python with different configurations:

import requests
from requests.adapters import HTTPAdapter

# Disable SSL verification (testing only)
session = requests.Session()
session.verify = False
session.mount('https://', HTTPAdapter())

try:
    response = session.get('https://target-domain.gov', timeout=30)
    print(f"Status: {response.status_code}")
except Exception as e:
    print(f"Error: {e}")

# Try with custom SSL context
import ssl
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE

Fallback Strategies

When primary data sources remain inaccessible after exhausting troubleshooting:

1. Alternative Data Sources

• Search for mirror sites or archived versions (Wayback Machine)
• Check if data is available through state/federal data portals (data.gov)
• Look for API endpoints that may have different access requirements
• Search for downloadable datasets on alternative domains

2. Indirect Access Methods

• Check if the same data is available through partner organizations
• Look for cached versions through search engines
• Contact the organization directly for data access
• Check if data is available through FOIA requests or public records

3. Documentation and Reporting

When access fails after systematic troubleshooting:

## Access Attempt Summary
- **Target**: [domain]
- **Methods Tried**: [list all approaches]
- **Errors Encountered**: [specific error messages]
- **Time Spent**: [duration]
- **Recommendation**: [alternative sources or next steps]

Decision Tree

SSL Error?
├── Yes → Try curl -k (test only)
│         ├── Works → Document SSL issue, proceed with verification disabled
│         └── Fails → Continue diagnostics
│
Proxy Issue?
├── Suspected → Try --noproxy "*"
│               ├── Works → Configure no_proxy for target domain
│               └── Fails → Try explicit proxy settings
│
Timeout/Refused?
├── Yes → Try HTTP instead of HTTPS
│         Try alternative ports
│         Try www subdomain
│         └── All fail → Implement fallback strategies
│
All Methods Fail?
└── Implement fallback strategies and document attempts

Important Notes

1. Security Considerations: Disabling SSL verification should only be used for diagnosis in trusted environments. Never use in production without understanding the risks.

2. Rate Limiting: Add delays between requests to avoid triggering rate limits or IP blocks.

3. Documentation: Always document which methods were tried and their results for future reference.

4. Iteration Limit: If 5+ distinct approaches fail, pivot to fallback strategies rather than continuing to iterate on the same blocked endpoint.

5. Legal Compliance: Ensure all access attempts comply with terms of service and applicable laws.

Success Criteria

This troubleshooting workflow is complete when:

• Data successfully retrieved from primary source, OR
• All reasonable access methods exhausted (minimum 5 distinct approaches), OR
• Viable alternative data source identified and accessed, OR
• Clear documentation provided explaining access failure and recommended next steps