4

I want to disable TLS 1.0 on my server while only keeping TLS 1.1 and TLS 1.2 enabled. I've made the necessary adjustments (I think). How can I check that TLS 1.0 is indeed disabled?

Kritz
  • 465
  • 2
  • 6
  • 9
  • If you first validate that TLS 1.0 works, then flip a single setting which explicitly says that it disables TLS 1.0 (i.e. restriction by protocol version, not ciphers) and then the previously successful check for TLS 1.0 fails, then you most likely changed the correct setting. But if you cannot verify this way that the documented setting results in the expected behavior and just want to make really sure that some arbitrary server has TLS 1.0 disabled, then it gets far more complicated. – Steffen Ullrich Oct 03 '18 at 08:13
  • 1
    I found this site https://globalsign.ssllabs.com/ – Kritz Oct 04 '18 at 08:06
  • This is just a branded version of the well-known [ssllabs server test](https://www.ssllabs.com/ssltest/) which works usually well if you have a public server (you did not say so) which is speaking HTTPS (you did not say this either, might have been a mail server or whatever). But, it only shows you which protocol works with the kind of test they do. They don't show which protocols do not work for the kind of tests they don't do - i.e. they show what protocols are definitely enabled but they cannot say for sure which are definitely disabled. – Steffen Ullrich Oct 04 '18 at 08:32

1 Answers1

6

You can use OpenSSL to check that easily:

openssl s_client -connect www.myhost.something:443 -tls1

If that succeeds, tls version 1 is enabled.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • 1
    *"If that succeeds, tls version 1 is enabled."* - but if this fails it does not mean that TLS 1.0 is disabled. It might just be that there are no shared ciphers, that the server requires a client certificate, that the server requires SNI ... . The OP did not ask how to make sure TLS 1.0 is enabled, he asked how to make sure it is disabled. – Steffen Ullrich Oct 03 '18 at 06:54
  • @SteffenUllrich Then check if TLS 1.1 works afterward: if it does, then it can't very well be a cypher negotiation check...... The result of OpenSSL will contain all the necessary info to infer the cause of the failure. As for the client cert, the OP knows this and can adjust the command to his need. – Stephane Oct 03 '18 at 08:14
  • Yes, something like this kind of double check is needed. Like I said in my comment to the question which I wrote at the same time as you wrote your comment: Best make sure that TLS 1.0 works, then flip the switch (change setting...) that explicitly says that it will disable TLS 1.0 protocol version, and then check again that TLS 1.0 does not work any more. If the first check for TLS 1.0 succeeds and the second fails one has most likely changed the relevant setting. – Steffen Ullrich Oct 03 '18 at 08:24
  • 2
    You can also use `https://www.ssllabs.com/ssltest/` – francis Mar 19 '21 at 05:16