Check if Server Supports Specific TLS Version using OpenSSL

Check if Server Supports Specific TLS Version using OpenSSL

Transport Layer Security (TLS) is a protocol for ensuring secure communication over the network. It encrypts data exchanged between a client and a server. Over the years, TLS has evolved, with older versions like TLS 1.0 and TLS 1.1 being deprecated due to security vulnerabilities. Modern systems mostly use TLS 1.2 and TLS 1.3. As part of maintaining secure web services or diagnosing issues, it is essential to determine whether a server supports specific TLS versions. This tutorial explains how to check if a server supports a specific TLS version using OpenSSL.

By default, the openssl s_client command attempts to use the most secure protocol available to communicate with the remote server and displays the negotiated protocol version in the output.

To test support for a specific protocol version, you can explicitly specify the desired version by using one of the options: -tls1, -tls1_1, -tls1_2, or tls1_3.

For example, to check if the server supports TLS 1.1, use the following command:

echo | openssl s_client -tls1_1 -connect www.google.com:443

For instance, the following output demonstrates what you might see when testing a server that does not support a specific protocol version:

CONNECTED(00000003)
809B94C6BF740000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

To check for TLS 1.2 support, run this command:

echo | openssl s_client -tls1_2 -connect www.google.com:443

For example, here's the output you might see when testing a server that supports a specific protocol version:

CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:CN = www.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  2 08:37:44 2024 GMT; NotAfter: Feb 24 08:37:43 2025 GMT
...

Related

Leave a Comment

Cancel reply

Your email address will not be published.