Often while diagnosing problems between web servers and clients it is useful to observe the requests and responses that take place between the server and some known client (such as web browsers) and/or to directly act as a client and send handcrafted requests for testing.
As long as SSL/TLS is not in use this is quite easy. All you need to act as a client is telnet. For capturing requests & responses between another client and the server you can use any network capture tool such as ethereal wireshark.
When SSL/TLS is used it becomes a bit more difficult since it’s no longer possible to simply telnet to the HTTP port nor to observe the traffic with the most common tools.
The good news is that there are many tools that provide equivalent functionality, it just seems that these are less well known so I’m often asked how to diagnose anything when SSL is in use. I’ll cover a few of the ones I use most in this and later blog entries.
I’ll look at the telnet replacements first. Most often I use openssl s_client
or sometimes the tstclnt from NSS (while most of the NSS tools can be found in the SUNWtlsu package for Solaris, tstclnt is not there).
Starting with openssl, check the available options (showing the path in Solaris here):
% /usr/sfw/bin/openssl s_client -h
If all you need is a SSL-enabled ‘telnet replacement’ and are not looking for info about the SSL connection itself simply run the following and (assuming a successful connection) enter the HTTP request as desired.
% openssl s_client -host localhost -port 8080 -quiet
Using the same command above but omitting the -quiet flag you can see information about the connection, such as the server DN and certificate, negotiated cipher suite and so forth. There are additional flags such as -showcerts, -debug and -msg which will produce additional output.
For testing particular cipher suites, check the -cipher option for tuning the list of ciphers openssl will negotiate with the server. For example:
% openssl s_client -host localhost -port 8080 -cipher DES-CBC-SHA
Be sure to check the manpage for s_client for additional details.
As I mentioned, NSS also has a similar tool, called tstclnt. Run the command with no options for a description of all options.
% tstclnt Usage: tstclnt -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvx] [-c ciphers] [-w passwd] [-q] [.. additional output omitted ..] % tstclnt -h localhost -p 8080
You may have to provide the -o option in order to be able to connect if the server certificate chain can’t be verified (such as for a self-signed cert). Similar to openssl s_client you can specify which specific cipher suites to negotiate.
So that’s it.. either of these tools will allow you to connect to an SSL/TLS-enabled web server and issue requests as well as obtain diagnostics about the SSL handshake itself.