Difference between revisions of "tls version check"
From thelinuxwiki
(Created page with "openssl can perform this check. nmap is supposed to, but it didn't work consistently for me. command $ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -t...") |
|||
(One intermediate revision by one user not shown) | |||
Line 8: | Line 8: | ||
example of server supporting tls 1.0 | example of server supporting tls 1.0 | ||
− | ''' $ openssl s_client -connect 192.168.1.3:443 -tls1''' | + | '''$ openssl s_client -connect 192.168.1.3:443 -tls1''' |
− | CONNECTED(00000003) | + | CONNECTED(00000003) |
− | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name | + | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name |
− | verify error:num=18:self signed certificate | + | verify error:num=18:self signed certificate |
− | verify return:1 | + | verify return:1 |
− | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name | + | depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name |
− | verify return:1 | + | verify return:1 |
− | --- | + | --- |
− | Certificate chain | + | Certificate chain |
− | + | 0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name | |
− | + | i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name | |
− | --- | + | --- |
− | Server certificate | + | Server certificate |
− | -----BEGIN CERTIFICATE----- | + | -----BEGIN CERTIFICATE----- |
− | MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD | + | MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD |
− | VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu | + | VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu |
− | MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B | + | MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B |
− | CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y | + | CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y |
− | NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 | + | NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 |
− | eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls | + | eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls |
− | IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt | + | IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt |
− | ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// | + | ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// |
− | kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb | + | kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb |
− | w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl | + | w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl |
− | I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq | + | I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq |
− | Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO | + | Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO |
− | j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW | + | j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW |
− | QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG | + | QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG |
− | A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV | + | A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV |
− | BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x | + | BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x |
− | NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ | + | NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ |
− | AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw | + | AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw |
− | AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu | + | AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu |
− | 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz | + | 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz |
− | AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ | + | AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ |
− | VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T | + | VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T |
− | r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 | + | r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 |
− | dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg== | + | dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg== |
− | -----END CERTIFICATE----- | + | -----END CERTIFICATE----- |
− | subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name | + | subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name |
− | issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name | + | issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name |
− | --- | + | --- |
− | No client certificate CA names sent | + | No client certificate CA names sent |
− | Server Temp Key: DH, 1024 bits | + | Server Temp Key: DH, 1024 bits |
− | --- | + | --- |
− | SSL handshake has read 1836 bytes and written 300 bytes | + | SSL handshake has read 1836 bytes and written 300 bytes |
− | Verification error: self signed certificate | + | Verification error: self signed certificate |
− | --- | + | --- |
− | New, SSLv3, Cipher is DHE-RSA-AES256-SHA | + | New, SSLv3, Cipher is DHE-RSA-AES256-SHA |
− | Server public key is 2048 bit | + | Server public key is 2048 bit |
− | Secure Renegotiation IS NOT supported | + | Secure Renegotiation IS NOT supported |
− | Compression: NONE | + | Compression: NONE |
− | Expansion: NONE | + | Expansion: NONE |
− | No ALPN negotiated | + | No ALPN negotiated |
− | SSL-Session: | + | SSL-Session: |
Protocol : TLSv1 | Protocol : TLSv1 | ||
Cipher : DHE-RSA-AES256-SHA | Cipher : DHE-RSA-AES256-SHA | ||
Line 75: | Line 75: | ||
Verify return code: 18 (self signed certificate) | Verify return code: 18 (self signed certificate) | ||
Extended master secret: no | Extended master secret: no | ||
− | --- | + | --- |
− | closed | + | closed |
example of server NOT supporting tls 1.1 | example of server NOT supporting tls 1.1 | ||
− | $openssl s_client -connect 192.168.1.3:443 -tls1_1 | + | '''$ openssl s_client -connect 192.168.1.3:443 -tls1_1''' |
− | CONNECTED(00000003) | + | CONNECTED(00000003) |
− | 139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932: | + | 139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932: |
− | --- | + | --- |
− | no peer certificate available | + | no peer certificate available |
− | --- | + | --- |
− | No client certificate CA names sent | + | No client certificate CA names sent |
− | --- | + | --- |
− | SSL handshake has read 79 bytes and written 109 bytes | + | SSL handshake has read 79 bytes and written 109 bytes |
− | Verification: OK | + | Verification: OK |
− | --- | + | --- |
− | New, (NONE), Cipher is (NONE) | + | New, (NONE), Cipher is (NONE) |
− | Secure Renegotiation IS NOT supported | + | Secure Renegotiation IS NOT supported |
− | Compression: NONE | + | Compression: NONE |
− | Expansion: NONE | + | Expansion: NONE |
− | No ALPN negotiated | + | No ALPN negotiated |
− | SSL-Session: | + | SSL-Session: |
− | + | Protocol : TLSv1.1 | |
− | + | Cipher : 0000 | |
Session-ID: | Session-ID: | ||
Session-ID-ctx: | Session-ID-ctx: | ||
Line 109: | Line 109: | ||
Verify return code: 0 (ok) | Verify return code: 0 (ok) | ||
Extended master secret: no | Extended master secret: no | ||
− | --- | + | --- |
[[category:webserver]] | [[category:webserver]] |
Latest revision as of 05:47, 12 April 2019
openssl can perform this check. nmap is supposed to, but it didn't work consistently for me.
command
$ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -tls1_1 | -tls1_2 >
if you get stuff back from the openssl command like a cert, the cipher and session-ID... then the target servers supports the version of TLS specified. if not, then it doesn't.
example of server supporting tls 1.0
$ openssl s_client -connect 192.168.1.3:443 -tls1 CONNECTED(00000003) depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name verify error:num=18:self signed certificate verify return:1 depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name verify return:1 --- Certificate chain 0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name --- Server certificate -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg== -----END CERTIFICATE----- subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 1836 bytes and written 300 bytes Verification error: self signed certificate --- New, SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: FD434D881FC22619712B21C9441BA070EB5C58E46B3AACAC2C7F308F715D8CA9 Session-ID-ctx: Master-Key: 8C578CA3C98E7D50AEE9E6B5BA4D7B52A23EF3EC994AC3769BEB27AE8A46C299C2B2C4A7A948E3544F9A7C43C39C05B6 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1555044175 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no --- closed
example of server NOT supporting tls 1.1
$ openssl s_client -connect 192.168.1.3:443 -tls1_1 CONNECTED(00000003) 139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 79 bytes and written 109 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1555043268 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---