How to Debug HTTP/HTTPS Traffic on Linux

In this article, we'll delve and look how you can debug HTTP/HTTPS traffic on your Linux system. We'll feature OpenSSL and  htrace.sh script. htrace.sh  is a simple shell script used for debugging HTTP/https traffic tracing. In addition, it can also be used for scanning domain with external security tools mainly  Mozilla Observatory and SSL Labs APIOn the other hand, OpenSSL is a cryptographic toolkit that relies on SSL  (V2 & 3) and TLS  v1 protocols to debug traffic.

1) Using htrace script

The shell script is used in checking basic SSL configuration, domain configuration of web servers & reverse proxies, response headers for each query ran and conducting redirect analysis with an aim of eliminating redirect loops. In addition, more detailed information can be displayed using the simple shell script command. This includes

  • Remote address
  • HTTP version
  • Server the site is running on
  • Content type
  • Content encoding

Requirements

Before proceeding any further, ensure the following is installed in your system

  1. Curl 7.49 and later
  2. OpenSSL
  3. Git

Installation and running of htrace.sh script

First, Clone the htrace repository

git clone https://github.com/trimstray/htrace.sh

Output

Cloning into 'htrace.sh'...
remote: Counting objects: 300, done.
remote: Compressing objects: 100% (141/141), done.
remote: Total 300 (delta 151), reused 288 (delta 139), pack-reused 0
Receiving objects: 100% (300/300), 421.03 KiB | 0 bytes/s, done.
Resolving deltas: 100% (151/151), done.
Checking connectivity... done.

Navigate into the htrace directory

cd htrace.sh

Next, Install htrace using the following command

./setup.sh install

Output

Create symbolic link to /usr/local/bin
Create man page to /usr/local/man/man8

Usage of htrace

Now, we can run the application and test a domain. The syntax of the command is

htrace.sh --domain https://example.com

Other options include

Options:
        --help                        show this message
        -d|--domain                   set domain name
        -h|--headers                  show response headers

In the command below, we are going to test google.com

htrace.sh --domain https://google.com --headers

Outputhtrace.sh

The output below is from nmap.org site

2) Using OpenSSL

Apart from using the htrace.sh shell script, you can use OpenSSL to debug SSL certificate problem from the shell prompt . OpenSSL is a robust , general-purpose cryptographic toolkit that uses Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols. Also included is the openssl  command which you can use to debug problems with SSL certificates.

Usage

openssl s_client -connect ssl.servername.com:443

Below is an example of how the command can be used to connect to linoxide.com on port 443

openssl s_client -connect www.linoxide.com:443

Sample Output

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ssl374062.cloudflaressl.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl374062.cloudflaressl.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----

That's all we had for you today. Feel free to try out the htrace.sh shell script and openssl command to debug SSL certificates. As always, your feedback is valuable and most welcome.

Jamie Arthur 12:05 am

About Jamie Arthur

Hey, I'm James, a passionate Linux Systems administrator, and a tech enthusiast. I derive immense gratification in conducting research on Linux systems and keeping myself up to date with the latest in the technology world.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

1 Comment

  1. Hi! I have released a new version of this tool with Nmap NSE Library support and minor fixes/updates. There is an error from htrace.sh on the screenshots of this article - curl: unknown --wirte-out variable. To fix this you should use curl ≥ 7.52.0 version. Big thx for this! Very nice and usefull blog.