traceroute [options] host [packet_len]
※ packet_len should be specified in bytes
Example:
$ traceroute example.com 8184
Specify packet size in traceroute
Category Archives: network
Testing SSL certificate with OpenSSL commands
Before installing SSL certificate and Intermediate CA certificate on Web server such as Apache, you may want to verify them.
You can do it using OpenSSL openssl command.
Start SSL/TLS server using openssl s_server
s_server implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS.
openssl s_server -cert <path/to/certificate> -key <path/to/private key> -CAfile <path/to/Intermediate CA certificate>
Example:
$ openssl s_server -cert server.crt -key server.key -CAfile intermediate.crt Using default temp DH parameters Using default temp ECDH parameters ACCEPT
Test with openssl s_client
Connect to the server using openssl s_client and verify certificates.
s_client implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.
openssl s_client -connect localhost:4433 -CAfile <path/to/CA certificate>
Example of CA certificate:
- Mac OS X
/etc/openssl/cert.pem
/opt/local/etc/openssl/cert.pem、/opt/local/share/curl/curl-ca-bundle.crt (with MacPorts) -
Ubuntu (You need to install ca-certificates using apt)
/etc/ssl/certs/ca-certificates.crt -
CentOS
CA certificate id in /etc/pki/tls/certs/ca-bundle.crt but you don't have to specify it.
Example:
$ openssl s_client -connect localhost:4433 -CAfile /opt/local/share/curl/curl-ca-bundle.crt
CONNECTED(00000003)
depth=3 (omitted)
verify return:1
depth=2 (omitted)
verify return:1
depth=1 (omitted)
verify return:1
depth=0 (omitted)
verify return:1
---
Certificate chain
0 s:(omitted)
i:(omitted)
1 s:(omitted)
i:(omitted)
2 s:(omitted)
i:(omitted)
3 s:(omitted)
i:(omitted)
---
Server certificate
-----BEGIN CERTIFICATE-----
(omitted)
-----END CERTIFICATE-----
subject=(omitted)
issuer=(omitted)
---
No client certificate CA names sent
---
SSL handshake has read 4744 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: (omitted)
Session-ID-ctx:
Master-Key: (omitted)
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
(omitted)
Compression: 1 (zlib compression)
Start Time: 1421023132
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
After you have installed certificates on the server, verify them with s_client like below.
-servername is needed for SNI (Server Name Indication).
-
Mac OS X
$ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts -CAfile /opt/local/etc/openssl/cert.pem
-
CentOS
$ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts
-
Ubuntu
(You need to install ca-certificates using apt)$ openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts -CAfile /etc/ssl/certs/ca-certificates.crt
If you want to show expiring date of certificate,
$ echo | openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts 2>/dev/null | openssl x509 -noout -dates
Specify packet size for ping
Use -s option to specify the number of data bytes to be sent.
(-l on Windows)
$ ping -s 8184 example.com
The size specified with -s is combined with the 8 bytes of ICMP header data.
Usually the max is 8184 (which translates into 8192 bytes when combined with ICMP header data).