How can I verify if TLS 1.2 is supported on a remote web server from the RHEL/CentOS shell?

Question

I'm on CentOS 5.9.

I'd like to determine from the linux shell if a remote web server specifically supports TLS 1.2 (as opposed to TLS 1.0). Is there an easy way to check for that?

I'm not seeing a related option on openssl but perhaps I'm overlooking something.

score 212 · Accepted Answer · answered Oct 21 '14 at 20:48

212

You should use openssl s_client, and the option you are looking for is -tls1_2.

An example command would be:

openssl s_client -connect google.com:443 -tls1_2

If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you see don't see the certificate chain, and something similar to "handshake error" you know it does not support TLS 1.2. You can also test for TLS 1 or TLS 1.1 with -tls1 or tls1_1 respectively.

answered Oct 21 '14 at 20:48

Jacob

9,114
4
44
56

8

And keep in mind that you'll have to use a version of OpenSSL which does TLS 1.2, and that means CentOS 5 is right out. – Michael Hampton Oct 21 '14 at 20:49
14

Does not work on Mac OS X 10.11 – Quanlong Aug 21 '15 at 07:33
Michael Hampton, only OOB setups: [me@server][~] cat /etc/redhat-release CentOS release 5.11 (Final) [me@server][~] openssl version OpenSSL 1.0.2d 9 Jul 2015 ;) – Kevin_Kinsey Aug 25 '15 at 13:39
12

@Quanlong homebrew has openssl v1.0.2. Install it then run it with `/usr/local/Cellar/openssl/1.0.2d_1/bin/openssl s_client -connect google.com:443 -tls1_2` – Xiao Aug 28 '15 at 02:46
6

It works fine after `brew upgrade openssl` – Quanlong Aug 28 '15 at 05:26
Worked as per expectation on OpenSuse Tumbleweed. Thanks – Abrar Hossain Feb 18 '19 at 11:10
See also this very good answer to similar question: https://security.stackexchange.com/a/169738/60157 – Mariano Paniga Feb 17 '20 at 10:50

score 113 · Answer 2 · answered Oct 21 '14 at 20:52

Also you can list all supported ciphers using:

nmap --script ssl-enum-ciphers -p 443 www.example.com

And then check the output. If it's supported you'll get something like this:

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL

Got a really hard time trying to make this third party script work. Wrote mine for people interested : [here](https://github.com/xlucas/ssl-inspector). — Xavier Lucas, Nov 01 '14 at 23:46
As on date, nmap doesn’t support TLS1.3, so this command will not help if you want to check for TLS1.3 availability on the web server side. Otherwise for upto version 1.2 , this solution is working fine. — Gaurav Kansal, May 01 '20 at 15:11
I'm not an expert with nmap, but I think you should probably use `-Pn`, in case the server isn't pingable. — mwfearnley, Aug 31 '22 at 14:43

How can I verify if TLS 1.2 is supported on a remote web server from the RHEL/CentOS shell?

2 Answers2

Linked