Javier Garza

Validate certificate h2 support using openssl

Blog Post created by Javier Garza Employee on Jun 22, 2016

One of the requirements of using HTTP/2 (or just h2) in Akamai is to have the right set of ciphers at the certificate level.

 

You can test this easily though using openssl as indicated below:

 

$ echo test | /usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -connect http2.akamai.com:443 -servername http2.akamai.com -alpn spdy/2,h2,h2-14 -cipher "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA" | grep ALPN

...

ALPN protocol: h2

 

If you prefer to see the whole output, just omit the "grep ALPN" at the end as shown below

 

$ echo test | /usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -connect http2.akamai.com:443 -servername http2.akamai.com -alpn spdy/2,h2,h2-14 -cipher "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA"

CONNECTED(00000003)

depth=3 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root

verify return:1

depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root

verify return:1

depth=1 C = NL, L = Amsterdam, O = Verizon Enterprise Solutions, OU = Cybertrust, CN = Verizon Akamai SureServer CA G14-SHA2

verify return:1

depth=0 C = US, ST = CA, L = Santa Clara, O = Akamai Technologies Inc., CN = http2.akamai.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=CA/L=Santa Clara/O=Akamai Technologies Inc./CN=http2.akamai.com

   i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2

1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2

   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFajCCBFKgAwIBAgIUcBxXXXj4N+Mm5iv24NAQOMQlpEwwDQYJKoZIhvcNAQEL

BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT

HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1

c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI

QTIwHhcNMTYwMTAzMjM1NzAxWhcNMTcwMTAzMjM1NjUyWjBuMQswCQYDVQQGEwJV

UzELMAkGA1UECBMCQ0ExFDASBgNVBAcTC1NhbnRhIENsYXJhMSEwHwYDVQQKExhB

a2FtYWkgVGVjaG5vbG9naWVzIEluYy4xGTAXBgNVBAMTEGh0dHAyLmFrYW1haS5j

b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgIAEv5K564bQSs0mu

49SAeMy+x48Ned72WekIoeCsV3e3dyHrt5GHY7xSHYroGsO51PWFa7TEw8DQRzTH

/LtEzN0/+z00BZCiUZPNuVNvjbCR4KxxdkJbIIoI6Jfe1KWvb9iUR8N3iOMqQcju

LstchNSWR6+ED3sydgZ5X0tMNB7OCDcGVV8npM2uBDaAD0Nw5ym6jVHttjewBv/g

yv5/Rkd09owKf6wqwY8n8DFE599uKztKBUc6v32rhDtl5DZ8KrkKgDp9xEThL0jT

aUiJcJEFPKbMLIu7aTmUX0sXy1s7C4IPMpUDEY5O7cUI039QjvUbckGvpdUmzWwa

o71XAgMBAAGjggHeMIIB2jAMBgNVHRMBAf8EAjAAMEwGA1UdIARFMEMwQQYJKwYB

BAGxPgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vc2VjdXJlLm9tbmlyb290LmNv

bS9yZXBvc2l0b3J5MIGvBggrBgEFBQcBAQSBojCBnzAtBggrBgEFBQcwAYYhaHR0

cDovL3Zhc3NnMTQyLm9jc3Aub21uaXJvb3QuY29tMDYGCCsGAQUFBzAChipodHRw

czovL2NhY2VydC5hLm9tbmlyb290LmNvbS92YXNzZzE0Mi5jcnQwNgYIKwYBBQUH

MAKGKmh0dHBzOi8vY2FjZXJ0LmEub21uaXJvb3QuY29tL3Zhc3NnMTQyLmRlcjAb

BgNVHREEFDASghBodHRwMi5ha2FtYWkuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNV

HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU+L36r3N3xscb

+UtNEafRM6+vchEwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL3Zhc3NnMTQyLmNy

bC5vbW5pcm9vdC5jb20vdmFzc2cxNDIuY3JsMB0GA1UdDgQWBBS2d/4QBDG6JnKM

06/naFk4CaANXDANBgkqhkiG9w0BAQsFAAOCAQEAN48MlYbhNTqe/SUjSTQ7nNxd

b4Klh2cIq68FKMiKLqvmAElHzN2IuBzo+phSVyqGPCnTdBzeLb9RfY7g9n8OE1Nb

89hF18x3F5dDN/b5LucpRr4I8ZYpX3tD+yJcMDSqaa9Y6ivZACanZaUkA73utdne

U/7lJc74DcYsXG3Lcz3lH0Cb0SR0WShJ96xQ1R/kaChq2sfFapR3Mv/mViPi/y+q

DfhnlYrbb7qHB5GumUWrzFjPPJsfVK1kwMbVQBP9QKRnRyh6y38vuHM8/xxofCN0

NCBj8GE+JFllPEB9s8oXSiuQ5qJo/XVSTfXcRMOf8zrrJaqTzVcbFi0VAi3jrg==

-----END CERTIFICATE-----

subject=/C=US/ST=CA/L=Santa Clara/O=Akamai Technologies Inc./CN=http2.akamai.com

issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 4443 bytes and written 315 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

ALPN protocol: h2

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 81AA621BE7216E1DEC2CD28A43424D5A130882A2EE36E841078F693CC13D5EC6

    Session-ID-ctx:

    Master-Key: CD26C94F082C70C35D1EEA3496FFB4428A99B9BBDDB1B880E060D54FA0A2B7626B52EC82ABB768BC0FE021941DB7431E

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - 03 f4 9e a0 60 07 f5 80-63 d0 0d 43 71 7c 34 ba   ....`...c..Cq|4.

    0010 - c8 e3 27 44 10 85 19 4b-83 c7 ee 7d f3 bf 54 8e   ..'D...K...}..T.

    0020 - 04 8b b2 cb d7 42 f1 17-6b 6d 53 3d 84 45 2a 54   .....B..kmS=.E*T

    0030 - 20 20 c6 95 69 07 89 14-fd 41 99 1b f4 38 4b ad     ..i....A...8K.

    0040 - 5a 09 ac 6a 49 26 59 14-9e d1 7c 30 ff 4e c2 a2   Z..jI&Y...|0.N..

    0050 - c5 f1 55 2c bc 53 b0 a6-24 91 c3 7e 7b 51 19 cd   ..U,.S..$..~{Q..

    0060 - d7 78 5c 43 bc d8 83 1a-ad 68 5e 9b d8 ae 2e 52   .x\C.....h^....R

    0070 - 3c 3d b1 95 15 ac f0 7f-5f db fc f9 87 86 37 69   <=......_.....7i

    0080 - 60 83 5a ec 5d f4 48 b4-c6 ff e6 7e ef b9 5c 0e   `.Z.].H....~..\.

    0090 - 52 96 a6 8e 07 c7 b0 97-5c d2 47 9e 2c e0 ce ac   R.......\.G.,...

    00a0 - 51 86 ae 12 97 ba 80 b5-f1 41 19 61 8a 3b 2b 3a   Q........A.a.;+:

 

    Start Time: 1455743186

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

DONE

Outcomes