How to Debug HTTP/HTTPS Traffic on Linux

Debug HTTP Traffic linux

In this article, we'll delve and look how you can debug HTTP/HTTPS traffic on your Linux system. We'll feature OpenSSL and script.  is a simple shell script used for debugging HTTP/https traffic tracing.

In addition, it can also be used for scanning domain with external security tools mainly  Mozilla Observatory and SSL Labs APIOn the other hand, OpenSSL is a cryptographic toolkit that relies on SSL  (V2 & 3) and TLS  v1 protocols to debug traffic.

1) Using htrace script

The shell script is used in checking basic SSL configuration, domain configuration of web servers & reverse proxies, response headers for each query ran and conducting redirect analysis with an aim of eliminating redirect loops. In addition, more detailed information can be displayed using the simple shell script command. This includes

  • Remote address
  • HTTP version
  • Server the site is running on
  • Content type
  • Content encoding


Before proceeding any further, ensure the following is installed in your system

  1. Curl 7.49 and later
  2. OpenSSL
  3. Git

Installation and running of script

First, Clone the htrace repository

git clone


Cloning into ''...
remote: Counting objects: 300, done.
remote: Compressing objects: 100% (141/141), done.
remote: Total 300 (delta 151), reused 288 (delta 139), pack-reused 0
Receiving objects: 100% (300/300), 421.03 KiB | 0 bytes/s, done.
Resolving deltas: 100% (151/151), done.
Checking connectivity... done.

Navigate into the htrace directory


Next, Install htrace using the following command

./ install


Create symbolic link to /usr/local/bin
Create man page to /usr/local/man/man8

Usage of htrace

Now, we can run the application and test a domain. The syntax of the command is --domain

Other options include

        --help                        show this message
        -d|--domain                   set domain name
        -h|--headers                  show response headers

In the command below, we are going to test --domain --headers

The output below is from site

2) Using OpenSSL

Apart from using the shell script, you can use OpenSSL to debug SSL certificate problem from the shell prompt . OpenSSL is a robust , general-purpose cryptographic toolkit that uses Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols. Also included is the openssl  command which you can use to debug problems with SSL certificates.


openssl s_client -connect

Below is an example of how the command can be used to connect to on port 443

openssl s_client -connect

Sample Output

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
verify return:1
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Server certificate

That's all we had for you today. Feel free to try out the shell script and openssl command to debug SSL certificates. As always, your feedback is valuable and most welcome.

2 Comments... add one

  1. Hi! I have released a new version of this tool with Nmap NSE Library support and minor fixes/updates. There is an error from on the screenshots of this article - curl: unknown --wirte-out variable. To fix this you should use curl ≥ 7.52.0 version. Big thx for this! Very nice and usefull blog.

  2. At least on my Ubuntu Hirsute, there were several dependencies not already installed and some are not available in apt (to the best of my searching), in no particular order these are:

    1 - PHP-XML
    2 - PHP-cUrl
    3 - Golang
    3 - Mozilla Observatory
    4 - ProjectDiscovery subfinder
    5 - wafw00f
    6 - Nmap
    7 - ssllabs-scan
    8 - Bramus mixed-content-scan
    9 - (available in apt as "testssl", but on Ubuntu a symlink to the actual name "" is needed).

    And you will need to set the GOROOT and GOPATH variables (recent Go releases do not set these).

    Oh yes, and you will have to install, path and run this as root - it requires root permissions even when running from ~/.local...


Leave a Comment