Archive

Tag Archives: http https openssl ssl webserver certificate

Setting up a webserver is quite easy. But setting up, and especially troubleshooting, webserver connectivity and SSL can be challenging. Also, you probably have limited tools, and (in case of linux/unix) have commandline access only (with a real deployment in a datacentre)

You don’t need a browser to get response from a webserver. It’s quite easy to get response from a webserver using common tools. A tool found on every platform (by default) is telnet, a bit more elegant is netcat (the nc executable on linux). The netcat utility, and all it’s ports can be found on the netcat wikipedia page. On linux it’s available by default. Please be aware I say ‘response’ here, not ‘browsing’. The techniques described here are for getting text response, and are quite unsuitable for browsing.

How does this commandline stuff work?
First example is getting a response from a webserver. In this example I use ‘otn.oracle.com':
vxlt090101:~ fritshoogland$ printf "GET / HTTP/1.0\n\n" | nc otn.oracle.com 80
HTTP/1.1 302 Moved Temporarily
Location: http://www.oracle.com/index.html
Content-Type: text/plain
Cache-Control: max-age=0
Set-Cookie: ORA_WX_SESSION="CFBFC11FA6C904D68C90158EEBF46AF0B5E4701C-1#2"; path=/
Set-Cookie: wocprod=9.0.3+en-us+us+AMERICA+7E910881BD6BB05BE04014907FB120A3+60340A9043F2350E3A492C42C78BAC78E040404F1BACB996FE31DD7F30F279601D5863FE81F1270F4CE75E9FBD2454B69607335D303C00D46259DE290208357133BA5C262FDC6E9C4544698FE4F8DD08099187564C6A217B; path=/
Connection: Close
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/10.1.2.3.1 (TH;max-age=2592000+0;age=33074;ecid=131482228804,0)
Content-Length: 0
Date: Mon, 01 Feb 2010 19:27:10 GMT
Content-Location: /servlet/RepositoryServlet/wocprod/!WOCPROD.wwpob_smd.redirect
Set-Cookie: BIGipServerwww_prod_wbw_pool=2215088781.24862.0000; expires=Mon, 01-Feb-2010 20:48:18 GMT; path=/

What do we see here?
I sended the text ‘GET / HTTP/1.0′ and two times enter (‘\n'; newline) to the host otn.oracle.com on port 80. This is the first line. The other lines are the response.

The server responded back:
-HTTP/1.1:
The response is using HTTP version 1.1
-302 Moved temporary; We are redirected
-Location: http://www.oracle.com/index.html; this is where we are redirected to.
-Various other stuff. Not important at this point.

You should be able to detect if you are connected to the right server and the server is serving the correct data.

But how about SSL?
Setting up SSL can be challenging. Especially with the Oracle webcache, because the webcache is picky about the CA of certificates (the Certificate Authority which signed the certificate signing request). The first thing is to check is there’s connectivity (nmap is very suitable for that, see my nmap post for that. The next thing is using the openssl executable to be able to talk SSL with the webserver. The openssl executable is available on linux and most unixes, there is a Windows version available on the internet. Here’s how to do that:

vxlt090101:~ fritshoogland$ openssl s_client -connect login.oracle.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global IT/OU=Terms of use at http://www.verisign.com/rpa (c)05/CN=login.oracle.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIQYBsXRx2RTISvoaZ2lCWyrjANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA5MDIxODAwMDAw
MFoXDTEwMDQxOTIzNTk1OVowgbwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRcwFQYDVQQHFA5SZWR3b29kIFNob3JlczEbMBkGA1UEChQST3JhY2xl
IENvcnBvcmF0aW9uMRIwEAYDVQQLFAlHbG9iYWwgSVQxMzAxBgNVBAsUKlRlcm1z
IG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEZMBcGA1UEAxQQ
bG9naW4ub3JhY2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwMJz
tp4r6kSUOWwtgjo5F5q6rO+P4Pfq1xtPi9jAeiZ96PfjJ1E0FaCr6oXxsG9zfSSj
Qv/bcO7hChwyDg054NBVag3fBgrtRtB9PEI5EeBZjfMzkrtT1ejLXiKsJLrqSW1V
+u0p9L51F1xKkBvneO8z9nLPY9Kdf2ZAzll8r38CAwEAAaOCAdMwggHPMAkGA1Ud
EwQCMAAwCwYDVR0PBAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJT
ZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAE
PTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl
cmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8G
A1UdIwQYMBaAFG/sr6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAC
hjdodHRwOi8vU1ZSU2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAw
NS1haWEuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAh
MB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dv
LnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAL7n9
eD458ASar/LhfVNOEPRfD6r3Ik3Bsca6sePr5me5etnt8KovHpmPeKMZM1etTXe+
/4N3ohFPPAuE4uej4qorJHodjEhZfylXlB53apn4nbcW6RUqaO7vgnuYhVGhoMba
oIbeAyiNXqFQx1egukxWUCLXnEBaUhZMRaxIkSVslfxD3O9UKEtchFdn81sVNDM+
Z4sZmiJ5zmGnHEGt/dRS/HHr8USmq/PMvs65K/qn8htzWbj1DkKPWKeTifaHS1xB
HAw7NJs/oCwtgvFXI8yH1/hqyTEhiEBHgCwtx9FOW/L/Ck902p7LsObmMHIORFVp
nBLUz9gk3de+w1QyBg==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global IT/OU=Terms of use at http://www.verisign.com/rpa (c)05/CN=login.oracle.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3269 bytes and written 309 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: FD9EC253DA11D17DAECF197BB440BDCDB56499E5A9D68EC98F530A98A50FF9E5
Session-ID-ctx:
Master-Key: 96EF4F630F44B3B3D0527DE3977E57B3A8DCBBBF21DD5675754D740BB305D95F8111CE8800B5255F79522D0B18F3DABC
Key-Arg : None
Start Time: 1265059432
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

I used the ‘s_client’ command of the openssl executable, and connected to login.oracle.com at port 443 (which is the default https port). Please mind this is has nothing to do with HTTP (and HTTPS for that matter), only with SSL.

Some comment on the response:
-‘CONNECTED(00000003)’

the openssl utility was able to make a connection to login.oracle.com, at port: 443.

-‘depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority’

there are 3 certificates in the Certificate chain (counting starts at zero), and the credentials of the master Certificate Authority (CA) are displayed (Verisign).

-‘Certificate Chain’

here the whole certificate chain is displayed, from the local server’s certificate to the master certificate authority.

-‘Certificate’

next the certificate is displayed in a PEM encoded format, with some information beneath it.

-‘No client certificate CA names sent’

the webserver does not use client certificates (a certificate you need to install in your browser in order to be able to connect to this webserver).

-‘New, TLSv1/SSLv3, Cipher is RC4-MD5′

next up some information about SSL ciphers, protocols, etc.

Using the openssl utility, you are able to troubleshoot SSL issues in a great way!

If you try it, you will notice the prompt is not directly given back. In fact, the SSL handshake is done, and the webserver is waiting for a command. This means that after all the SSL information, you can issue the same commands like you did with telnet or netcat:

vxlt090101:~ fritshoogland$ openssl s_client -connect login.oracle.com:443
CONNECTED(00000003)
...other stuff omitted for clarity...
Verify return code: 0 (ok)
---

The prompt waits here, now enter:
GET / HTTP/1.0
(and two times ENTER) Now the webserver will answer your GET question, just like it did with telnet or netcat:

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2010 12:04:35 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Content-Location: index.html.html
Vary: negotiate
TCN: choice
Last-Modified: Wed, 16 Apr 2008 08:43:49 GMT
ETag: "1eb25b-460f-4805bc45;4b7dda22"
Accept-Ranges: bytes
Content-Length: 17935
Connection: close
Content-Type: text/html
....snip....
read:errno=0

This way, you can do the same troubleshooting like you did with netcat or telnet.
Happy troubleshooting!

Follow

Get every new post delivered to your Inbox.

Join 2,136 other followers

%d bloggers like this: