In this article, we'll delve and look how you can debug HTTP/HTTPS traffic on your Linux system. We'll feature OpenSSL and htrace.sh script. htrace.sh is a simple shell script used for debugging HTTP/https traffic tracing. In addition, it can also be used for scanning domain with external security tools mainly Mozilla Observatory and SSL Labs API. On the other hand, OpenSSL is a cryptographic toolkit that relies on SSL (V2 & 3) and TLS v1 protocols to debug traffic.
1) Using htrace script
The shell script is used in checking basic SSL configuration, domain configuration of web servers & reverse proxies, response headers for each query ran and conducting redirect analysis with an aim of eliminating redirect loops. In addition, more detailed information can be displayed using the simple shell script command. This includes
- Remote address
- HTTP version
- Server the site is running on
- Content type
- Content encoding
Before proceeding any further, ensure the following is installed in your system
- Curl 7.49 and later
Installation and running of htrace.sh script
First, Clone the htrace repository
git clone https://github.com/trimstray/htrace.sh
Cloning into 'htrace.sh'... remote: Counting objects: 300, done. remote: Compressing objects: 100% (141/141), done. remote: Total 300 (delta 151), reused 288 (delta 139), pack-reused 0 Receiving objects: 100% (300/300), 421.03 KiB | 0 bytes/s, done. Resolving deltas: 100% (151/151), done. Checking connectivity... done.
Navigate into the htrace directory
Next, Install htrace using the following command
Create symbolic link to /usr/local/bin Create man page to /usr/local/man/man8
Usage of htrace
Now, we can run the application and test a domain. The syntax of the command is
htrace.sh --domain https://example.com
Other options include
Options: --help show this message -d|--domain set domain name -h|--headers show response headers
In the command below, we are going to test google.com
htrace.sh --domain https://google.com --headers
The output below is from nmap.org site
2) Using OpenSSL
Apart from using the htrace.sh shell script, you can use OpenSSL to debug SSL certificate problem from the shell prompt . OpenSSL is a robust , general-purpose cryptographic toolkit that uses Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols. Also included is the
openssl command which you can use to debug problems with SSL certificates.
openssl s_client -connect ssl.servername.com:443
Below is an example of how the command can be used to connect to linoxide.com on port 443
openssl s_client -connect www.linoxide.com:443
CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2 verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ssl374062.cloudflaressl.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl374062.cloudflaressl.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE-----
That's all we had for you today. Feel free to try out the htrace.sh shell script and openssl command to debug SSL certificates. As always, your feedback is valuable and most welcome.