Testing a Server for TLS 1.2/1.3 in Linux

How to Test a Server for TLS 1.2/1.3 Support in Linux

Last updated on | 2 replies

To test a server for TLS 1.2/1.3 support in Linux, try these following methods.

1. openssl

OpenSSL is a full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, and is installed on many distributions of Linux by default.

Run the following command in terminal, replacing google.com with your own domain:

For TLS 1.2:

openssl s_client -connect google.com:443 -tls1_2

For TLS 1.3:

openssl s_client -connect google.com:443 -tls1_3

If you get a certificate chain and handshake like below, you know the server in question supports TLS 1.2/1.3. If you don’t see a certificate chain, and instead something similar to “handshake error”, you know the server does not support TLS 1.2/1.3. You can also test for TLS 1 or TLS 1.1 with -tls1 or -tls1_1 respectively.

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA0nt67i+GAazJs4e+bBSMqB6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MjMyMTU5MDBaFw0x
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANLrc8IH2BP51XLhR6L2/IjRuNYcoj6UH58K
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASI.........
dl0=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3019 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DF39CB241F6580C6E6570E0E9827D7F8615A71A76359DB4F9D1B9D3AD
    Session-ID-ctx:
    Master-Key: 12E8FF788E15AAA2E95BE35C5864784B90ED5A9AE8352AFE98C7DCADB04E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502214066
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

2. nmap

Nmap, or Network Mapper, is an open source Linux command line tool for network exploration and security auditing. It is not usually installed by default on Linux distributions, but you can install it by running:

sudo apt install nmap

Once installed, you can test a remote server for TLS support by running:

nmap --script ssl-enum-ciphers -p 443 www.google.com

If TLS is supported, it will return the TLS version along with the ciphers supported.

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL

3. Testing an Accepted cipher

We can also test for a particular cipher using openssl, in this case we are testing for the cipher ECDHE-RSA-AES256-SHA.

openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect google.com:443

If the cipher is supported, you will see a successful handshake:

CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIISDCCBzCgAwIBAgIIG03GHwUBFTowDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzI1MDgzOTU5WhcNMTcxMDE3MDgyNzAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAth5nKIa7
zyhvCvBPB3/WsqypXh/Kw9GUMfEcAm3SPJR8ahlyrqL8dOjoPlEXm2WceHDlMg3z
NDQ1Yuu9eghqXV/KRQuUbljxt/kqZZaL10Tl9E6yW+VQ0UnV9GoXcjz42k5FjBXR
kyYaBWxfmkRi0dlI...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4824 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: D29FD3C45A2FC4FFDD3720974F4C6973E4E4E93D59A3BCC1D9422A2102
    Session-ID-ctx:
    Master-Key: B6BF9E8EA130144B30E95F26B1CCA30E7F405EEB1F8F62EA8AECFDD1BA14AD40277B38C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 47 24 d0 7b 3a 9c 1d-8b b4 95 29 64 e1 35 bf   .G$.{:.....)d.5.
    0010 - 64 08 1d 07 b4 5a 0b 94-80 89 6c bf 5b 2a 18 34   d....Z....l.[*.4
    0020 - fe 61 8e c1 76 59 a6 55-86 2a 1b ed 06 35 af 65   .a..vY.U.*...5.e
    0030 - 9e 73 19 68 e6 c3 03 d2-ba 59 24 8e 19 e0 57 71   .s.h.....Y$...Wq
    0040 - 18 68 3e 40 aa cc 79 c4-d5 29 3d a2 f0 21 41 e8   .h>@..y..)=..!A.
    0050 - 4f b9 5a 9d 63 a4 7e 01-bf c3 cf 6a c6 1d 76 79   O.Z.c.~....j..vy
    0080 - 3b 5d bd fd 47 61 b2 5a-00 fb b7 29 ca fa b3 90   ;]..Ga.Z...)....
    0090 - 0f e0 b9 00 10 89 c4 31-cc b5 74 4c 21 4e ec ab   .......1..tL!N..
    00a0 - 39 15 fa 9b 1d 4c ea db-a4 c0 86 d1 31 bf 1d 3d   9....L......1..=
    00b0 - 64 ce 74 0f e7 ce 86 71-ef d0 bf b7 44 aa 20 6f   d.t....q....D. o
    00c0 - fc 35 48 c2 b5 6b 71 0d-39 a5 f1 92 0d 1d e7 5e   .5H..kq.9......^
    00d0 - e6 cd e6 0a f3                                    .....

    Start Time: 1502368379
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

4. Online Tools for SSL/TLS Testing

Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.

2 replies

Leave a reply

Your email address will not be published. Required fields are marked *