How to check TLS version intolerance on a terminal for a remote website?
Using openssl or without it!
How to check TLS version intolerance on a terminal for a remote website?
Using openssl or without it!
If you can install python and scapy you can use the tolerantls command-line utility to check for TLS version intolerance.
Usage is quite straight-forward, e.g.:
$ tolerantls.py --host example.com
[*] Testing TLS version intolerance against example.com:443
[+] Server is not intolerant - it downgraded the client request and proposed to use TLS_1_2
I found Mozilla's Cipherscan a great tool for this and other TLS related testing.
All you need to do is
./cipherscan remote_site_to_test
It output information related to cihersuite, ordering, OCSP stapling, etc.
The related sample output for TLS intolerance looks like below :
Intolerance to:
SSL 3.254 : absent
TLS 1.0 : PRESENT
TLS 1.1 : PRESENT
TLS 1.2 : absent
TLS 1.3 : absent
TLS 1.4 : absent
You can do this as you suggested with OpenSSL
by selectively removing supported TLS
version:
openssl s_client -connect google.com:443 -no_tls1_2 -no_tls1_1 -no_tls1
This example will deactivate TLS
versions: 1.2/1.1/1.0
. Leaving only the choice of ssl3
and ssl2
. It also fails because the server doesn't support neither of the remaining choices.
List of options from the manual:
-no-tls1_2
-no-tls1_1
-no-tls1
-no-ssl3
-no-ssl2