58

Is there a command to check the TLS version required by a host site? Right now, the only way I know to check is by adjusting the max TLS version of my browser and checking if I can still access the site. However, I suspect there is a more sophisticated way to do this.

Bukunmi
  • 2,504
  • 1
  • 18
  • 15
LakeMichigan
  • 677
  • 1
  • 7
  • 12
  • 1
    Test it at [ssllabs](http://ssllabs.com). – user207421 Nov 11 '16 at 23:26
  • 1
    Not command line, but Firefox can tell you the Technical Details of the encryption level when you go to Padlock->More Information->Security. (I don't know whether it's necessary to allow the particular TLS version before it will tell you what it is.) – mwfearnley Jan 16 '23 at 11:36

5 Answers5

107

You can check using following commands.

For TLS 1.2:

openssl s_client -connect www.google.com:443 -tls1_2

For TLS 1.1:

openssl s_client -connect www.google.com:443 -tls1_1

For TLS 1:

openssl s_client -connect www.google.com:443 -tls1

If you get the certificate chain and the handshake then the TLS version is supported. If you don't see the certificate chain, and something similar to "handshake error" then its not.

Sergey Vyacheslavovich Brunov
  • 17,291
  • 7
  • 48
  • 81
root
  • 3,517
  • 2
  • 19
  • 25
  • 1
    How we can check it in windows servers? – Darshana Patel Sep 23 '19 at 04:21
  • 1
    @DarshanaPatel You can connect to any server with that command, or if you want to use that command you can install OpenSSL for Windows – golimar Sep 28 '21 at 07:24
  • I've had mixed results with this. An API being tested with this method did not report a certificate with 1.1, but did with 1.2. Hinting at 1.1 not being supported. Yet with curl below, using 1.1 downloaded the site content/landing page. Not sure why openssl results didn't match curl. An aside, curl was inline with the online tools offering similar checks. – Niall May 31 '23 at 17:49
  • For TLS 1.3 use `-tls3` at the end. – Shayan Jul 28 '23 at 00:14
53

From https://maxchadwick.xyz/blog/checking-ssl-tls-version-support-of-remote-host-from-command-line:

nmap ssl-enum-ciphers

Another option for checking SSL / TLS version support is nmap. nmap is not typically installed by default, so you’ll need to manually install it. Once installed you can use the following command to check SSL / TLS version support…

nmap --script ssl-enum-ciphers -p 443 www.google.com

nmap’s ssl-enum-ciphers script will not only check SSL / TLS version support for all versions (TLS 1.0, TLS 1.1, and TLS 1.2) in one go, but will also check cipher support for each version including giving providing a grade.

Sergey Vyacheslavovich Brunov
  • 17,291
  • 7
  • 48
  • 81
Colin Curtin
  • 2,093
  • 15
  • 17
5

I like to use curl which can report a TLS version negotiation quite nicely.

For example, this tries to connect with TLS 1.1, which the server negotiates to upgrade to 1.2:

$ curl -Iiv --tlsv1.1 https://example.com
*   Trying 192.168.205.11:443...
* TCP_NODELAY set
* Connected to example.com (192.168.205.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
[...]

To forbid that the server upgrades the TLS version use the --tls-max option:

$ curl -Iiv --tlsv1.1 --tls-max 1.1 https://example.com
*   Trying 192.168.205.11:443...
* TCP_NODELAY set
* Connected to example.com (192.168.205.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS alert, internal error (592):
* error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available
* Closing connection 0
curl: (35) error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available

In this case, the connection fails because the client does not offer any TLS version above 1.1, but the server does not accept any version below 1.2. If used like this, the output is very similar to the openssl_client output.

not2savvy
  • 2,902
  • 3
  • 22
  • 37
0

Nmap has very convenient TLS version and ciphersuite checking NSE script. All in one, multiplatform too: https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

Svyatoslav Pidgorny
  • 573
  • 3
  • 11
0

testssl.sh (download site) produces a report similar to the SSLLabs one, the report includes information about the supported TLS versions. To speed things up, you can use the -p (--protocols) flag to only test the supported TLS versions.

One specific case where I've found testssl.sh (and local command line tools in general) useful is when testing a server before it goes "live". The SSLLabs online test takes a hostname, resolves it to IP addresses, and tests each IP address. This requires my server to already have a DNS entry. With testssl.sh I can test a single server by its IP address:

./testssl.sh -p --ip 123.123.123.123 https://example.com
Pēteris Caune
  • 43,578
  • 6
  • 59
  • 81