EN
openssl - check http2 / h2 status under Linux or Windows
12
points
In this short article we would like to show how to check connection status, server certificate, etc. for HTTP2 / h2 connection.
Quick solution (run following command):
openssl s_client -alpn h2 -connect dirask.com:443 -status
Where: dirask.com should be replaced by proper domain.
Testing under Windows
1. Pre-requirements
Be sure that you have installed OpenSSL on Windows:
Note: OpenSSL installer for Windows can be found here.
2. Testing
Open Windows Command Prompt and run the following command:
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -alpn h2 -connect dirask.com:443 -status
Note: if http2 / h2 protocol is working we should see somewhere in output:
ALPN protocol: h2.
Example Output:
C:\>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -alpn h2 -connect dirask.com:443 -status
CONNECTED(0000016C)
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
verify return:1
OCSP response: no response sent
---
Certificate chain
0 s:C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvzCCBGWgAwIBAgIQApY184qHHBEzptuOB+s3qTAKBggqhkjOPQQDAjBKMQsw
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjAwNjEwMDAwMDAwWhcNMjEwNjEw
MTIwMDAwWjBtMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xGTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xHjAcBgNVBAMT
FXNuaS5jbG91ZGZsYXJlc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BGYwb/lRPAYMldgxWHkf59rCsEE1+SUF/h+BRUUrwMooBCbQhKbDe06uzc8a+7Qh
9JOQwIyxTnh2yc4m51t778qjggMIMIIDBDAfBgNVHSMEGDAWgBSlzjfq67B1DpRn
iLRF+tkkEIeWHzAdBgNVHQ4EFgQU8v6zbBjLf+dm9zhVAUptzPPpUFwwOgYDVR0R
BDMwMYIVc25pLmNsb3VkZmxhcmVzc2wuY29tggpkaXJhc2suY29tggwqLmRpcmFz
ay5jb20wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
Q2xvdWRmbGFyZUluY0VDQ0NBLTMuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMuY3JsMEwGA1UdIARFMEMwNwYJ
YIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
bS9DUFMwCAYGZ4EMAQICMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0
cy5kaWdpY2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMuY3J0MAwGA1UdEwEB
/wQCMAAwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgD2XJQv0XcwIhRUGAgwlFaO
400TGTO/3wwvIAvMTvFk4wAAAXKfAdjGAAAEAwBHMEUCIE8RIRK307Djf3TvSJqu
XWN4nA5/boUgmtFyFoB/deLNAiEAosZxQa9yhn5m20MJMekH/iS3jOgZC7N3dwI5
PnRzMiUAdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXKfAdjy
AAAEAwBHMEUCIQC/qGIEwJ839oFJV7URHK3dmeiqvH9SOcbDG41qjdp+WgIgWoe1
exoByXUD+U5dLEkqNl4Vjk08g8NrNKB0UdtLh8YwCgYIKoZIzj0EAwIDSAAwRQIh
ANuXpm+xap72IWh6ZJNOhImOIIjUp/Z5vTj1PthI8LCZAiBHpOnLTJ6gdExd2uEz
tqsYaHWEBc+OiRpe5WM5OeWI1w==
-----END CERTIFICATE-----
subject=C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2519 bytes and written 410 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
ALPN protocol: h2
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: DEC43338CCA68C1F2D0A8943582AA34EE7131E0C58D16DD56EBF502190F33524
Session-ID-ctx:
Resumption PSK: B44DE24C79B07C2BC81342129BC2780C93C2F3F21BF3B43537B875B14B69B9ACE3E65A458EC107C47411AB167769148D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - f8 a8 b9 9f 32 9f e3 d9-19 82 cf d0 0e 08 b0 04 ....2...........
0010 - 1d 05 60 fb 94 72 a1 12-19 da a4 ad 18 3f 09 f6 ..`..r.......?..
0020 - 00 c0 68 cc 3a f2 c7 83-7f 6a d3 f7 79 31 08 19 ..h.:....j..y1..
0030 - be f0 24 4e 39 76 0b f7-95 33 14 1f 71 21 b0 15 ..$N9v...3..q!..
0040 - 6a 8a a2 f1 24 86 c9 58-95 d6 02 15 9a 53 fc fe j...$..X.....S..
0050 - fd 52 7f 39 d8 c1 a2 2e-e8 49 d0 b0 5b a5 2c 35 .R.9.....I..[.,5
0060 - af 54 67 37 b1 dd 0f 5a-f3 b1 4b ab b6 c5 1f d5 .Tg7...Z..K.....
0070 - 16 14 3f 33 82 bb ef 97-58 9a 6e 4e 62 f5 32 a2 ..?3....X.nNb.2.
0080 - 3b 3c fd 9a bf 15 6d ba-2b f0 03 22 ea 5b 63 6f ;<....m.+..".[co
0090 - 56 61 94 7e 41 48 01 9f-1e 5a 19 4b 53 4a 59 cb Va.~AH...Z.KSJY.
00a0 - de ff f9 8c e3 7b 26 47-07 24 e0 9a e6 03 6d 77 .....{&G.$....mw
00b0 - b2 4f 18 fe 97 d1 07 1a-76 d1 7a e8 e7 9e 41 7a .O......v.z...Az
00c0 - bd cf c4 c5 98 64 f4 8b-7b 3e 15 d6 56 21 4f f6 .....d..{>..V!O.
Start Time: 1603550227
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6AB9DF570FBBB21ED674746546D05B68D9C9D59902A48ADB1068C2FC1F03A8A2
Session-ID-ctx:
Resumption PSK: A9A45BCA1ABFD08CE5F156D1B22900917BACD48DD43B9A5F787D8C678AEFF50FA918FD1581D962E9BF05E6F4365ED70E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - f8 a8 b9 9f 32 9f e3 d9-19 82 cf d0 0e 08 b0 04 ....2...........
0010 - 2b b8 76 3b 08 e8 09 ef-7e 53 20 a9 d4 a4 43 fa +.v;....~S ...C.
0020 - 4f 3b a4 cd 01 5e 8a 88-c6 06 7e 09 c3 84 91 87 O;...^....~.....
0030 - 4c 32 a7 f4 11 7d 69 79-30 82 89 bc a0 ad f1 66 L2...}iy0......f
0040 - 14 46 17 a1 10 17 c1 8c-32 63 79 9e ec 06 37 90 .F......2cy...7.
0050 - 07 b2 ac 86 da 16 33 4f-ee 01 0a f4 02 6b 9d 92 ......3O.....k..
0060 - 6a 4c a7 93 58 a1 df 90-f8 74 19 4d 6d 68 48 85 jL..X....t.MmhH.
0070 - 4d 33 56 7f 5f 5b fa aa-16 f7 33 7a c9 8a 93 37 M3V._[....3z...7
0080 - 1f 88 f8 be b3 32 bf de-45 95 16 38 af 6a f5 10 .....2..E..8.j..
0090 - 88 58 11 5b 4b 47 ae 5f-1a b7 26 90 0b f3 92 b0 .X.[KG._..&.....
00a0 - a6 3e 3e 38 35 ac f8 87-13 5e 59 13 b9 27 8a df .>>85....^Y..'..
00b0 - 60 bc 4c 7e 9d df b0 96-b9 ef 4d 52 01 46 05 f0 `.L~......MR.F..
00c0 - 3c 29 85 06 03 c9 16 cb-51 c8 52 86 e3 dc 1b ce <)......Q.R.....
Start Time: 1603550227
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK