Checking SSL / TLS version support of a remote server from the command line in Linux.
Method 1: openssl s_client
The simplest way to check support for a given version of SSL / TLS is via openssl s_client . openssl is installed by default on most Unix systems
openssl s_client -connect www.google.co.uk:443 -tls1_2
openssl s_client -connect www.google.co.uk:443 -tls1_1
openssl s_client -connect www.google.co.uk:443 -tls1
If the protocol is supported you will see the remote host certificate and other information.
Here is a sample output for the bbc.co.uk.
# openssl s_client -connect www.bbc.co.uk:443 -tls1
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = GB, ST = London, L = London, O = British Broadcasting Corporation, CN = *.bbc.co.uk
verify return:1
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=British Broadcasting Corporation/CN=*.bbc.co.uk
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHXTCCBkWgAwIBAgIMblZony7dXuzKtlfuMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTkwMzA3MTAyMTA0WhcNMjAwNjE1MTcwMTA2WjBwMQswCQYDVQQGEwJH
QjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xKTAnBgNVBAoTIEJy
aXRpc2ggQnJvYWRjYXN0aW5nIENvcnBvcmF0aW9uMRQwEgYDVQQDDAsqLmJiYy5j
by51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWNaleu0HFBdw0O
vNkveWp2dLPwafCZTqltJ13Fkbr6BalfRcMmhjgyGzeR3znhF+xgywuXWYSMkOW3
ILFUwwU8GB8Hd1d/uzVQTGduOZW1vfKjTWdcXGv8KVn7+yh8H8ci1r2x0yzyL0NZ
wp8QWV6y3TvTl1C5MQRg0SpWy1M+n+ZyZc6RWAGuhz8hWp65XLKBcirnfESSbEZ9
sOOME3lCx2Id8SQXsmedtZ/RjaTSDhh07c6yNEBkwHgVj0RxHaHQ8XCuPJLrIkQE
fP99FxI30nGi+uBbXCwRxBzQ2t8yNDHG2JOWY87fu+SCoiEWdG9B9m2f2Oyrbr9y
yAk4/U8CAwEAAaOCA/8wggP7MA4GA1UdDwEB/wQEAwIFoDCBoAYIKwYBBQUHAQEE
gZMwgZAwTQYIKwYBBQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20v
Y2FjZXJ0L2dzb3JnYW5pemF0aW9udmFsc2hhMmcycjEuY3J0MD8GCCsGAQUFBzAB
hjNodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3Nvcmdhbml6YXRpb252YWxz
aGEyZzIwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcCARYmaHR0
cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQICMAkG
A1UdEwQCMAAwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5nbG9iYWxzaWdu
LmNvbS9ncy9nc29yZ2FuaXphdGlvbnZhbHNoYTJnMi5jcmwwgbUGA1UdEQSBrTCB
qoILKi5iYmMuY28udWuCCmJiY2kuY28udWuCB2JiYy5jb22CD2xpdmUuYmJjaS5j
by51a4IMbGl2ZS5iYmMuY29tggwqLmJiY2kuY28udWuCCSouYmJjLmNvbYIQKi5s
aXZlLmJiYy5jby51a4IRKi5saXZlLmJiY2kuY28udWuCDioubGl2ZS5iYmMuY29t
gg5saXZlLmJiYy5jby51a4IJYmJjLmNvLnVrMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAdBgNVHQ4EFgQU3SyExNMbfBGG+j3ryN0BiAHzYTIwHwYDVR0j
BBgwFoAUlt5h8b0cFilTHMDMfTuDAEDmGnwwggF/BgorBgEEAdZ5AgQCBIIBbwSC
AWsBaQB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABaVervP0A
AAQDAEgwRgIhANx65aaewr6QnvTvwSZTMMdVKey24fx6+9uxKH1mheLhAiEAhuSf
EljBcg6dgo3PJTSTfTPMrFQCaOxrEcm8Z2foqHwAdgBVgdTCFpA2AUrqC5tXPFPw
wOQ4eHAlCBcvo6odBxPTDAAAAWlXq72HAAAEAwBHMEUCIQCvvDdWv+jRYnUH93Cu
JLfdpsM4Cb3yE8YzrAcJR/kwZgIga+A0WOscP4N7unKRtSWbxJHPmpHW3mShhKBu
kUJPQeUAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWlXq7pt
AAAEAwBHMEUCIQCoRXotvYODW4kn/W2WKjYdHEqmrMsCYzBfeTyay7iHQQIgat61
iYWMpTFdsatb3rzLKvxOY1uWdWS+YnriHgUCs6cwDQYJKoZIhvcNAQELBQADggEB
AFLU8+XELc8h2WzNouWN/lkpGu3aeWGmosXX1k1xjb1OlzSca78xZmlgvktI8B9/
PsxKbebdeA+U0sRaTQMA6ya0/tWFmPoYveFFMGumr49vDwB2F83HnjwGQhZKIwPt
AVvCg+bthYnaj4ulhYjxILAgqow+/F4vfvPCsUNOBFXzHKv044j1OkvTMTsR8Lwx
j1jkk6tjAEWQBIWxoABLB2IowJTc2QTCwQ08GEDzTH6XwgmfF9v/SlUCYLfHBW/2
YaHlflmC3i2fozgsteXpDPv40Au7dinbSuuf8GHJ0nIJVbxZ0NzydGbrN0xce5Rl
oXmmzwC1ufFzwj0MujO8PKQ=
-----END CERTIFICATE-----
subject=/C=GB/ST=London/L=London/O=British Broadcasting Corporation/CN=*.bbc.co.uk
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3536 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: 2FA52934A3A9AB504922B601AB3E69A9DB4BEB8523D85BFECD87E7BE814A44A6
Session-ID-ctx:
Master-Key: 437D68A3885E08628EE98E59C2D5858C26CDC355E764CE56DFADC881A5A85AB0DBB178E2BF592CC2A1576A7C78A7939E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1554465108
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
closed
If the protocol is not supported you’ll see a message like this:
# openssl s_client -connect www.abort-retry-fail.com:443 -tls1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1554465422
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Method 2: nmap
Our prefered method. First make sure nmap is installed, if it isn’t run apt-get install nmap . Once installed you can use commands to check the SSL / TLS version using the ssl-enum-ciphers script. This script will let you scan a target and list all SSL protocols and ciphers that are available on that server.
nmap --script ssl-enum-ciphers -p 443 www.bbc.co.uk
The ssl-enum-ciphers script will check SSL / TLS version support, cipher support and provide a grade. See sample output below:
# nmap --script ssl-enum-ciphers -p 443 www.bbc.co.uk Starting Nmap 6.47 ( http://nmap.org ) at 2019-04-05 13:14 BST Nmap scan report for www.bbc.co.uk (212.58.249.210) Host is up (0.0038s latency). Other addresses for www.bbc.co.uk (not scanned): 212.58.244.68 rDNS record for 212.58.249.210: bbc-vip148.lbh.bbc.co.uk PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: No supported ciphers found |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds
