Tag Archives: webserver application server connectivity nc netcat http https

Setting up a webserver is quite easy. But setting up, and especially troubleshooting, webserver connectivity and SSL can be challenging. Also, you probably have limited tools, and (in case of linux/unix) have commandline access only (with a real deployment in a datacentre)

You don’t need a browser to get response from a webserver. It’s quite easy to get response from a webserver using common tools. A tool found on every platform (by default) is telnet, a bit more elegant is netcat (the nc executable on linux). The netcat utility, and all it’s ports can be found on the netcat wikipedia page. On linux it’s available by default. Please be aware I say ‘response’ here, not ‘browsing’. The techniques described here are for getting text response, and are quite unsuitable for browsing.

How does this commandline stuff work?
First example is getting a response from a webserver. In this example I use ‘’:
vxlt090101:~ fritshoogland$ printf "GET / HTTP/1.0\n\n" | nc 80
HTTP/1.1 302 Moved Temporarily
Content-Type: text/plain
Cache-Control: max-age=0
Set-Cookie: ORA_WX_SESSION="CFBFC11FA6C904D68C90158EEBF46AF0B5E4701C-1#2"; path=/
Set-Cookie: wocprod=9.0.3+en-us+us+AMERICA+7E910881BD6BB05BE04014907FB120A3+60340A9043F2350E3A492C42C78BAC78E040404F1BACB996FE31DD7F30F279601D5863FE81F1270F4CE75E9FBD2454B69607335D303C00D46259DE290208357133BA5C262FDC6E9C4544698FE4F8DD08099187564C6A217B; path=/
Connection: Close
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/ (TH;max-age=2592000+0;age=33074;ecid=131482228804,0)
Content-Length: 0
Date: Mon, 01 Feb 2010 19:27:10 GMT
Content-Location: /servlet/RepositoryServlet/wocprod/!WOCPROD.wwpob_smd.redirect
Set-Cookie: BIGipServerwww_prod_wbw_pool=2215088781.24862.0000; expires=Mon, 01-Feb-2010 20:48:18 GMT; path=/

What do we see here?
I sended the text ‘GET / HTTP/1.0’ and two times enter (‘\n’; newline) to the host on port 80. This is the first line. The other lines are the response.

The server responded back:
The response is using HTTP version 1.1
-302 Moved temporary; We are redirected
-Location:; this is where we are redirected to.
-Various other stuff. Not important at this point.

You should be able to detect if you are connected to the right server and the server is serving the correct data.

But how about SSL?
Setting up SSL can be challenging. Especially with the Oracle webcache, because the webcache is picky about the CA of certificates (the Certificate Authority which signed the certificate signing request). The first thing is to check is there’s connectivity (nmap is very suitable for that, see my nmap post for that. The next thing is using the openssl executable to be able to talk SSL with the webserver. The openssl executable is available on linux and most unixes, there is a Windows version available on the internet. Here’s how to do that:

vxlt090101:~ fritshoogland$ openssl s_client -connect
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
0 s:/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global IT/OU=Terms of use at (c)05/
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)05/CN=VeriSign Class 3 Secure Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)05/CN=VeriSign Class 3 Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Server certificate
subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global IT/OU=Terms of use at (c)05/
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at (c)05/CN=VeriSign Class 3 Secure Server CA
No client certificate CA names sent
SSL handshake has read 3269 bytes and written 309 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: FD9EC253DA11D17DAECF197BB440BDCDB56499E5A9D68EC98F530A98A50FF9E5
Master-Key: 96EF4F630F44B3B3D0527DE3977E57B3A8DCBBBF21DD5675754D740BB305D95F8111CE8800B5255F79522D0B18F3DABC
Key-Arg : None
Start Time: 1265059432
Timeout : 300 (sec)
Verify return code: 0 (ok)

I used the ‘s_client’ command of the openssl executable, and connected to at port 443 (which is the default https port). Please mind this is has nothing to do with HTTP (and HTTPS for that matter), only with SSL.

Some comment on the response:

the openssl utility was able to make a connection to, at port: 443.

-‘depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority’

there are 3 certificates in the Certificate chain (counting starts at zero), and the credentials of the master Certificate Authority (CA) are displayed (Verisign).

-‘Certificate Chain’

here the whole certificate chain is displayed, from the local server’s certificate to the master certificate authority.


next the certificate is displayed in a PEM encoded format, with some information beneath it.

-‘No client certificate CA names sent’

the webserver does not use client certificates (a certificate you need to install in your browser in order to be able to connect to this webserver).

-‘New, TLSv1/SSLv3, Cipher is RC4-MD5’

next up some information about SSL ciphers, protocols, etc.

Using the openssl utility, you are able to troubleshoot SSL issues in a great way!

If you try it, you will notice the prompt is not directly given back. In fact, the SSL handshake is done, and the webserver is waiting for a command. This means that after all the SSL information, you can issue the same commands like you did with telnet or netcat:

vxlt090101:~ fritshoogland$ openssl s_client -connect
...other stuff omitted for clarity...
Verify return code: 0 (ok)

The prompt waits here, now enter:
GET / HTTP/1.0
(and two times ENTER) Now the webserver will answer your GET question, just like it did with telnet or netcat:

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2010 12:04:35 GMT
Server: Oracle-Application-Server-10g/ Oracle-HTTP-Server
Content-Location: index.html.html
Vary: negotiate
TCN: choice
Last-Modified: Wed, 16 Apr 2008 08:43:49 GMT
ETag: "1eb25b-460f-4805bc45;4b7dda22"
Accept-Ranges: bytes
Content-Length: 17935
Connection: close
Content-Type: text/html

This way, you can do the same troubleshooting like you did with netcat or telnet.
Happy troubleshooting!

%d bloggers like this: