Difference between revisions of "tls version check"

From thelinuxwiki
Jump to: navigation, search
(Created page with "openssl can perform this check. nmap is supposed to, but it didn't work consistently for me. command $ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -t...")

Revision as of 05:45, 12 April 2019

openssl can perform this check. nmap is supposed to, but it didn't work consistently for me.

command 

$ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -tls1_1 | -tls1_2 >

if you get stuff back from the openssl command like a cert, the cipher and session-ID... then the target servers supports the version of TLS specified. if not, then it doesn't.

example of server supporting tls 1.0

$ openssl s_client -connect 192.168.1.3:443 -tls1 CONNECTED(00000003) depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name verify error:num=18:self signed certificate verify return:1 depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name verify return:1 --- Certificate chain 

0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
  i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name

--- Server certificate

BEGIN CERTIFICATE-----

MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0 eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1// kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu 9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5 dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg==

END CERTIFICATE-----

subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 1836 bytes and written 300 bytes Verification error: self signed certificate --- New, SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: 

   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
   Session-ID: FD434D881FC22619712B21C9441BA070EB5C58E46B3AACAC2C7F308F715D8CA9
   Session-ID-ctx: 
   Master-Key: 8C578CA3C98E7D50AEE9E6B5BA4D7B52A23EF3EC994AC3769BEB27AE8A46C299C2B2C4A7A948E3544F9A7C43C39C05B6
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1555044175
   Timeout   : 7200 (sec)
   Verify return code: 18 (self signed certificate)
   Extended master secret: no

--- closed

example of server NOT supporting tls 1.1 

$openssl s_client -connect 192.168.1.3:443 -tls1_1

CONNECTED(00000003) 139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 79 bytes and written 109 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: 

   Protocol  : TLSv1.1
   Cipher    : 0000
   Session-ID: 
   Session-ID-ctx: 
   Master-Key: 
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1555043268
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: no

---

Retrieved from "http://www.thelinuxwiki.com/index.php?title=tls_version_check&oldid=1236"