Difference between revisions of "tls version check"

From thelinuxwiki
Jump to: navigation, search
(Created page with "openssl can perform this check. nmap is supposed to, but it didn't work consistently for me. command $ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -t...")
 
 
(One intermediate revision by one user not shown)
Line 8: Line 8:
 
example of server supporting tls 1.0
 
example of server supporting tls 1.0
  
''' $ openssl s_client -connect 192.168.1.3:443 -tls1'''
+
'''$ openssl s_client -connect 192.168.1.3:443 -tls1'''
CONNECTED(00000003)
+
CONNECTED(00000003)
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
+
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
verify error:num=18:self signed certificate
+
verify error:num=18:self signed certificate
verify return:1
+
verify return:1
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
+
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
verify return:1
+
verify return:1
---
+
---
Certificate chain
+
Certificate chain
0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
+
  0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
  i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
+
    i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
---
+
---
Server certificate
+
Server certificate
-----BEGIN CERTIFICATE-----
+
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD
+
MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD
VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu
+
VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu
MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B
+
MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B
CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y
+
CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y
NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0
+
NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0
eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls
+
eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls
IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt
+
IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1//
+
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1//
kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb
+
kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb
w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl
+
w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl
I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq
+
I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq
Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO
+
Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO
j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW
+
j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW
QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG
+
QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG
A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV
+
A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV
BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x
+
BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x
NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ
+
NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ
AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw
+
AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu
+
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu
9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz
+
9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz
AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ
+
AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ
VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T
+
VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T
r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5
+
r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5
dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg==
+
dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg==
-----END CERTIFICATE-----
+
-----END CERTIFICATE-----
subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
+
subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
+
issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
---
+
---
No client certificate CA names sent
+
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
+
Server Temp Key: DH, 1024 bits
---
+
---
SSL handshake has read 1836 bytes and written 300 bytes
+
SSL handshake has read 1836 bytes and written 300 bytes
Verification error: self signed certificate
+
Verification error: self signed certificate
---
+
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
+
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
+
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
+
Secure Renegotiation IS NOT supported
Compression: NONE
+
Compression: NONE
Expansion: NONE
+
Expansion: NONE
No ALPN negotiated
+
No ALPN negotiated
SSL-Session:
+
SSL-Session:
 
     Protocol  : TLSv1
 
     Protocol  : TLSv1
 
     Cipher    : DHE-RSA-AES256-SHA
 
     Cipher    : DHE-RSA-AES256-SHA
Line 75: Line 75:
 
     Verify return code: 18 (self signed certificate)
 
     Verify return code: 18 (self signed certificate)
 
     Extended master secret: no
 
     Extended master secret: no
---
+
---
closed
+
closed
  
 
example of server NOT supporting tls 1.1
 
example of server NOT supporting tls 1.1
  
  $openssl s_client -connect 192.168.1.3:443 -tls1_1
+
  '''$ openssl s_client -connect 192.168.1.3:443 -tls1_1'''
CONNECTED(00000003)
+
CONNECTED(00000003)
139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932:
+
139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932:
---
+
---
no peer certificate available
+
no peer certificate available
---
+
---
No client certificate CA names sent
+
No client certificate CA names sent
---
+
---
SSL handshake has read 79 bytes and written 109 bytes
+
SSL handshake has read 79 bytes and written 109 bytes
Verification: OK
+
Verification: OK
---
+
---
New, (NONE), Cipher is (NONE)
+
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
+
Secure Renegotiation IS NOT supported
Compression: NONE
+
Compression: NONE
Expansion: NONE
+
Expansion: NONE
No ALPN negotiated
+
No ALPN negotiated
SSL-Session:
+
SSL-Session:
    Protocol  : TLSv1.1
+
    Protocol  : TLSv1.1
    Cipher    : 0000
+
    Cipher    : 0000
 
     Session-ID:  
 
     Session-ID:  
 
     Session-ID-ctx:  
 
     Session-ID-ctx:  
Line 109: Line 109:
 
     Verify return code: 0 (ok)
 
     Verify return code: 0 (ok)
 
     Extended master secret: no
 
     Extended master secret: no
---
+
---
  
 
[[category:webserver]]
 
[[category:webserver]]

Latest revision as of 05:47, 12 April 2019

openssl can perform this check. nmap is supposed to, but it didn't work consistently for me.

command

$ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -tls1_1 | -tls1_2 >
if you get stuff back from the openssl command like a cert, the cipher and session-ID... then the target servers supports the version of TLS specified. if not, then it doesn't. 

example of server supporting tls 1.0

$ openssl s_client -connect 192.168.1.3:443 -tls1
CONNECTED(00000003)
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
verify error:num=18:self signed certificate
verify return:1
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
verify return:1
---
Certificate chain
 0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
   i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD
VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu
MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B
CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y
NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0
eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls
IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1//
kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb
w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl
I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq
Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO
j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW
QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG
A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV
BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x
NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ
AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu
9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz
AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ
VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T
r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5
dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg==
-----END CERTIFICATE-----
subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1836 bytes and written 300 bytes
Verification error: self signed certificate
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
   Session-ID: FD434D881FC22619712B21C9441BA070EB5C58E46B3AACAC2C7F308F715D8CA9
   Session-ID-ctx: 
   Master-Key: 8C578CA3C98E7D50AEE9E6B5BA4D7B52A23EF3EC994AC3769BEB27AE8A46C299C2B2C4A7A948E3544F9A7C43C39C05B6
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1555044175
   Timeout   : 7200 (sec)
   Verify return code: 18 (self signed certificate)
   Extended master secret: no
---
closed

example of server NOT supporting tls 1.1

$ openssl s_client -connect 192.168.1.3:443 -tls1_1
CONNECTED(00000003)
139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 79 bytes and written 109 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
   Session-ID: 
   Session-ID-ctx: 
   Master-Key: 
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1555043268
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: no
---