Difference between revisions of "tls version check"
From thelinuxwiki
(Created page with "openssl can perform this check. nmap is supposed to, but it didn't work consistently for me. command $ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -t...") |
|||
| Line 9: | Line 9: | ||
''' $ openssl s_client -connect 192.168.1.3:443 -tls1''' | ''' $ openssl s_client -connect 192.168.1.3:443 -tls1''' | ||
| − | CONNECTED(00000003) | + | CONNECTED(00000003) |
| − | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name | + | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name |
| − | verify error:num=18:self signed certificate | + | verify error:num=18:self signed certificate |
| − | verify return:1 | + | verify return:1 |
| − | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name | + | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name |
| − | verify return:1 | + | verify return:1 |
| − | --- | + | --- |
| − | Certificate chain | + | Certificate chain |
| − | + | 0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name | |
| − | + | i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name | |
| − | --- | + | --- |
| − | Server certificate | + | Server certificate |
| − | -----BEGIN CERTIFICATE----- | + | -----BEGIN CERTIFICATE----- |
| − | MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD | + | MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD |
| − | VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu | + | VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu |
| − | MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B | + | MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B |
| − | CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y | + | CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y |
| − | NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 | + | NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 |
| − | eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls | + | eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls |
| − | IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt | + | IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt |
| − | ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// | + | ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// |
| − | kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb | + | kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb |
| − | w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl | + | w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl |
| − | I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq | + | I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq |
| − | Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO | + | Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO |
| − | j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW | + | j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW |
| − | QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG | + | QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG |
| − | A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV | + | A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV |
| − | BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x | + | BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x |
| − | NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ | + | NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ |
| − | AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw | + | AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw |
| − | AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu | + | AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu |
| − | 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz | + | 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz |
| − | AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ | + | AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ |
| − | VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T | + | VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T |
| − | r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 | + | r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 |
| − | dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg== | + | dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg== |
| − | -----END CERTIFICATE----- | + | -----END CERTIFICATE----- |
| − | subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name | + | subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name |
| − | issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name | + | issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name |
| − | --- | + | --- |
| − | No client certificate CA names sent | + | No client certificate CA names sent |
| − | Server Temp Key: DH, 1024 bits | + | Server Temp Key: DH, 1024 bits |
| − | --- | + | --- |
| − | SSL handshake has read 1836 bytes and written 300 bytes | + | SSL handshake has read 1836 bytes and written 300 bytes |
| − | Verification error: self signed certificate | + | Verification error: self signed certificate |
| − | --- | + | --- |
| − | New, SSLv3, Cipher is DHE-RSA-AES256-SHA | + | New, SSLv3, Cipher is DHE-RSA-AES256-SHA |
| − | Server public key is 2048 bit | + | Server public key is 2048 bit |
| − | Secure Renegotiation IS NOT supported | + | Secure Renegotiation IS NOT supported |
| − | Compression: NONE | + | Compression: NONE |
| − | Expansion: NONE | + | Expansion: NONE |
| − | No ALPN negotiated | + | No ALPN negotiated |
| − | SSL-Session: | + | SSL-Session: |
Protocol : TLSv1 | Protocol : TLSv1 | ||
Cipher : DHE-RSA-AES256-SHA | Cipher : DHE-RSA-AES256-SHA | ||
| Line 75: | Line 75: | ||
Verify return code: 18 (self signed certificate) | Verify return code: 18 (self signed certificate) | ||
Extended master secret: no | Extended master secret: no | ||
| − | --- | + | --- |
| − | closed | + | closed |
example of server NOT supporting tls 1.1 | example of server NOT supporting tls 1.1 | ||
$openssl s_client -connect 192.168.1.3:443 -tls1_1 | $openssl s_client -connect 192.168.1.3:443 -tls1_1 | ||
| − | CONNECTED(00000003) | + | CONNECTED(00000003) |
| − | 139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932: | + | 139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932: |
| − | --- | + | --- |
| − | no peer certificate available | + | no peer certificate available |
| − | --- | + | --- |
| − | No client certificate CA names sent | + | No client certificate CA names sent |
| − | --- | + | --- |
| − | SSL handshake has read 79 bytes and written 109 bytes | + | SSL handshake has read 79 bytes and written 109 bytes |
| − | Verification: OK | + | Verification: OK |
| − | --- | + | --- |
| − | New, (NONE), Cipher is (NONE) | + | New, (NONE), Cipher is (NONE) |
| − | Secure Renegotiation IS NOT supported | + | Secure Renegotiation IS NOT supported |
| − | Compression: NONE | + | Compression: NONE |
| − | Expansion: NONE | + | Expansion: NONE |
| − | No ALPN negotiated | + | No ALPN negotiated |
| − | SSL-Session: | + | SSL-Session: |
| − | + | Protocol : TLSv1.1 | |
| − | + | Cipher : 0000 | |
Session-ID: | Session-ID: | ||
Session-ID-ctx: | Session-ID-ctx: | ||
| Line 109: | Line 109: | ||
Verify return code: 0 (ok) | Verify return code: 0 (ok) | ||
Extended master secret: no | Extended master secret: no | ||
| − | --- | + | --- |
[[category:webserver]] | [[category:webserver]] | ||
Revision as of 05:47, 12 April 2019
openssl can perform this check. nmap is supposed to, but it didn't work consistently for me.
command
$ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -tls1_1 | -tls1_2 >
if you get stuff back from the openssl command like a cert, the cipher and session-ID... then the target servers supports the version of TLS specified. if not, then it doesn't.
example of server supporting tls 1.0
$ openssl s_client -connect 192.168.1.3:443 -tls1
CONNECTED(00000003) depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name verify error:num=18:self signed certificate verify return:1 depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name verify return:1 --- Certificate chain 0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name --- Server certificate -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg== -----END CERTIFICATE----- subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 1836 bytes and written 300 bytes Verification error: self signed certificate --- New, SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: FD434D881FC22619712B21C9441BA070EB5C58E46B3AACAC2C7F308F715D8CA9 Session-ID-ctx: Master-Key: 8C578CA3C98E7D50AEE9E6B5BA4D7B52A23EF3EC994AC3769BEB27AE8A46C299C2B2C4A7A948E3544F9A7C43C39C05B6 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1555044175 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no --- closed
example of server NOT supporting tls 1.1
$openssl s_client -connect 192.168.1.3:443 -tls1_1
CONNECTED(00000003)
139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 79 bytes and written 109 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1555043268
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
