Languages
[Edit]
EN

openssl - check http2 / h2 status under Linux or Windows

12 points
Created by:
Marcin
15740

In this short article we would like to show how to check connection status, server certificate, etc. for HTTP2 / h2 connection.

Quick solution (run following command):

openssl s_client -alpn h2 -connect dirask.com:443 -status

Where: dirask.com should be replaced by proper domain.

Windows example

Be sure that you have installed OpenSSL on Windows:

Note: OpenSSL installer for Windows can be found here.

Open Windows Command Prompt and run following command:

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -alpn h2 -connect dirask.com:443 -status

Note: if http2 / h2 protocol is working we should see somewhere in output: ALPN protocol: h2.

Example Output:

C:\>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -alpn h2 -connect dirask.com:443 -status
CONNECTED(0000016C)
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
   i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvzCCBGWgAwIBAgIQApY184qHHBEzptuOB+s3qTAKBggqhkjOPQQDAjBKMQsw
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjAwNjEwMDAwMDAwWhcNMjEwNjEw
MTIwMDAwWjBtMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xGTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xHjAcBgNVBAMT
FXNuaS5jbG91ZGZsYXJlc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BGYwb/lRPAYMldgxWHkf59rCsEE1+SUF/h+BRUUrwMooBCbQhKbDe06uzc8a+7Qh
9JOQwIyxTnh2yc4m51t778qjggMIMIIDBDAfBgNVHSMEGDAWgBSlzjfq67B1DpRn
iLRF+tkkEIeWHzAdBgNVHQ4EFgQU8v6zbBjLf+dm9zhVAUptzPPpUFwwOgYDVR0R
BDMwMYIVc25pLmNsb3VkZmxhcmVzc2wuY29tggpkaXJhc2suY29tggwqLmRpcmFz
ay5jb20wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
Q2xvdWRmbGFyZUluY0VDQ0NBLTMuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMuY3JsMEwGA1UdIARFMEMwNwYJ
YIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
bS9DUFMwCAYGZ4EMAQICMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0
cy5kaWdpY2VydC5jb20vQ2xvdWRmbGFyZUluY0VDQ0NBLTMuY3J0MAwGA1UdEwEB
/wQCMAAwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgD2XJQv0XcwIhRUGAgwlFaO
400TGTO/3wwvIAvMTvFk4wAAAXKfAdjGAAAEAwBHMEUCIE8RIRK307Djf3TvSJqu
XWN4nA5/boUgmtFyFoB/deLNAiEAosZxQa9yhn5m20MJMekH/iS3jOgZC7N3dwI5
PnRzMiUAdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXKfAdjy
AAAEAwBHMEUCIQC/qGIEwJ839oFJV7URHK3dmeiqvH9SOcbDG41qjdp+WgIgWoe1
exoByXUD+U5dLEkqNl4Vjk08g8NrNKB0UdtLh8YwCgYIKoZIzj0EAwIDSAAwRQIh
ANuXpm+xap72IWh6ZJNOhImOIIjUp/Z5vTj1PthI8LCZAiBHpOnLTJ6gdExd2uEz
tqsYaHWEBc+OiRpe5WM5OeWI1w==
-----END CERTIFICATE-----
subject=C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com

issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2519 bytes and written 410 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
ALPN protocol: h2
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DEC43338CCA68C1F2D0A8943582AA34EE7131E0C58D16DD56EBF502190F33524
    Session-ID-ctx:
    Resumption PSK: B44DE24C79B07C2BC81342129BC2780C93C2F3F21BF3B43537B875B14B69B9ACE3E65A458EC107C47411AB167769148D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - f8 a8 b9 9f 32 9f e3 d9-19 82 cf d0 0e 08 b0 04   ....2...........
    0010 - 1d 05 60 fb 94 72 a1 12-19 da a4 ad 18 3f 09 f6   ..`..r.......?..
    0020 - 00 c0 68 cc 3a f2 c7 83-7f 6a d3 f7 79 31 08 19   ..h.:....j..y1..
    0030 - be f0 24 4e 39 76 0b f7-95 33 14 1f 71 21 b0 15   ..$N9v...3..q!..
    0040 - 6a 8a a2 f1 24 86 c9 58-95 d6 02 15 9a 53 fc fe   j...$..X.....S..
    0050 - fd 52 7f 39 d8 c1 a2 2e-e8 49 d0 b0 5b a5 2c 35   .R.9.....I..[.,5
    0060 - af 54 67 37 b1 dd 0f 5a-f3 b1 4b ab b6 c5 1f d5   .Tg7...Z..K.....
    0070 - 16 14 3f 33 82 bb ef 97-58 9a 6e 4e 62 f5 32 a2   ..?3....X.nNb.2.
    0080 - 3b 3c fd 9a bf 15 6d ba-2b f0 03 22 ea 5b 63 6f   ;<....m.+..".[co
    0090 - 56 61 94 7e 41 48 01 9f-1e 5a 19 4b 53 4a 59 cb   Va.~AH...Z.KSJY.
    00a0 - de ff f9 8c e3 7b 26 47-07 24 e0 9a e6 03 6d 77   .....{&G.$....mw
    00b0 - b2 4f 18 fe 97 d1 07 1a-76 d1 7a e8 e7 9e 41 7a   .O......v.z...Az
    00c0 - bd cf c4 c5 98 64 f4 8b-7b 3e 15 d6 56 21 4f f6   .....d..{>..V!O.

    Start Time: 1603550227
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6AB9DF570FBBB21ED674746546D05B68D9C9D59902A48ADB1068C2FC1F03A8A2
    Session-ID-ctx:
    Resumption PSK: A9A45BCA1ABFD08CE5F156D1B22900917BACD48DD43B9A5F787D8C678AEFF50FA918FD1581D962E9BF05E6F4365ED70E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - f8 a8 b9 9f 32 9f e3 d9-19 82 cf d0 0e 08 b0 04   ....2...........
    0010 - 2b b8 76 3b 08 e8 09 ef-7e 53 20 a9 d4 a4 43 fa   +.v;....~S ...C.
    0020 - 4f 3b a4 cd 01 5e 8a 88-c6 06 7e 09 c3 84 91 87   O;...^....~.....
    0030 - 4c 32 a7 f4 11 7d 69 79-30 82 89 bc a0 ad f1 66   L2...}iy0......f
    0040 - 14 46 17 a1 10 17 c1 8c-32 63 79 9e ec 06 37 90   .F......2cy...7.
    0050 - 07 b2 ac 86 da 16 33 4f-ee 01 0a f4 02 6b 9d 92   ......3O.....k..
    0060 - 6a 4c a7 93 58 a1 df 90-f8 74 19 4d 6d 68 48 85   jL..X....t.MmhH.
    0070 - 4d 33 56 7f 5f 5b fa aa-16 f7 33 7a c9 8a 93 37   M3V._[....3z...7
    0080 - 1f 88 f8 be b3 32 bf de-45 95 16 38 af 6a f5 10   .....2..E..8.j..
    0090 - 88 58 11 5b 4b 47 ae 5f-1a b7 26 90 0b f3 92 b0   .X.[KG._..&.....
    00a0 - a6 3e 3e 38 35 ac f8 87-13 5e 59 13 b9 27 8a df   .>>85....^Y..'..
    00b0 - 60 bc 4c 7e 9d df b0 96-b9 ef 4d 52 01 46 05 f0   `.L~......MR.F..
    00c0 - 3c 29 85 06 03 c9 16 cb-51 c8 52 86 e3 dc 1b ce   <)......Q.R.....

    Start Time: 1603550227
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
                           
Native Advertising
50 000 ad impressions - 449$
🚀
Get your tech brand or product in front of software developers.
For more information contact us:
Red dot
Dirask - friendly IT community for everyone.

❤️💻 🙂

Join