tls version check

From thelinuxwiki
Revision as of 05:47, 12 April 2019 by Nighthawk (Talk | contribs)

Jump to: navigation, search

openssl can perform this check. nmap is supposed to, but it didn't work consistently for me.

command 

$ openssl s_client -connect <ipaddr | hostname>:port_number < -tls1 | -tls1_1 | -tls1_2 >

if you get stuff back from the openssl command like a cert, the cipher and session-ID... then the target servers supports the version of TLS specified. if not, then it doesn't.

example of server supporting tls 1.0

$ openssl s_client -connect 192.168.1.3:443 -tls1 

CONNECTED(00000003)
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
verify error:num=18:self signed certificate
verify return:1
depth=0 L = "Locality Name (eg, city)", CN = 192.168.1.3, emailAddress = Email Address, unstructuredName = An optional company name
verify return:1
---
Certificate chain
 0 s:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
   i:/L=Locality Name (eg, city)/CN=192.168.175.3/emailAddress=Email Address/unstructuredName=An optional company name
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIJAIRIxi4jQSXsMA0GCSqGSIb3DQEBBQUAMIGCMSEwHwYD
VQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0eSkxFjAUBgNVBAMTDTE5Mi4xNjgu
MTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxJzAlBgkqhkiG9w0B
CQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFtZTAeFw0xNDA3MjQwMTEwMDVaFw0y
NDA3MjMwMTEwMDVaMIGCMSEwHwYDVQQHExhMb2NhbGl0eSBOYW1lIChlZywgY2l0
eSkxFjAUBgNVBAMTDTE5Mi4xNjguMTc1LjMxHDAaBgkqhkiG9w0BCQEWDUVtYWls
IEFkZHJlc3MxJzAlBgkqhkiG9w0BCQITGEFuIG9wdGlvbmFsIGNvbXBhbnkgbmFt
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJxy/ELs++e3M5QX1//
kwg2+TTouuNXycmtL8teHwrJM5xS7v5Mn/6uk8PJUEd8X8WvRH1Zn5+7QweWgAOb
w4es+CjZ5x3FIk/m5+Z79XzpjC2dRRASDKbZpwcMSi3DolAVKDFX29MfccTJ6RLl
I664+glqVlK6vm38YzK0rCGUd61U5pjg2J2UZ3ADorOdtSoPILii1NjNEsOOTzHq
Rwx+KH8IYXeCHB+0jH50XDk+x5gQxqGQbkNqQadHzIJ/OEFpwzsQpsVziUQJBTBO
j3oJcPcqWQfXB3sufPN2A2WWHi0LIxkrYZ+5fcuWdaf1c2RIZqruSlQXibBB/3kW
QTcCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUwMZNiiFo3+m329ALRB0VA26jqkwwgbcG
A1UdIwSBrzCBrIAUwMZNiiFo3+m329ALRB0VA26jqkyhgYikgYUwgYIxITAfBgNV
BAcTGExvY2FsaXR5IE5hbWUgKGVnLCBjaXR5KTEWMBQGA1UEAxMNMTkyLjE2OC4x
NzUuMzEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczEnMCUGCSqGSIb3DQEJ
AhMYQW4gb3B0aW9uYWwgY29tcGFueSBuYW1lggkAhEjGLiNBJewwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGpqr0C2rIZG+RE+7U4oTgrC/0lDgLlvu
9NFkjlhqpeApXaX0F+r8p2cw7ZbC+JoqdfbKQKHV/rVLvAXk1dYY/ZW9tQ+Uc8zz
AVXNQng8WPHnQnfuGeeotrQ8DM8ttMssy+bgx997Taml8FNjO4BdDhNU1gJBgeKJ
VpnmJSMN7gxyjkypNwZHd6ngHDh3Xpfz8F5pvkmpXWIolGVSHU+L+Qm1YC81g/0T
r5z2xomS2F5QHE2XyctgQwyr6C1GLkcYF+4NmAKlTGxkKG7DftZNsltDLm8xiWy5
dxpVcJgMye60p7pxBQh/6tbybUdsxpE0/jT3Z5QBoMYwLR6b4dqPzg==
-----END CERTIFICATE-----
subject=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
issuer=/L=Locality Name (eg, city)/CN=192.168.1.3/emailAddress=Email Address/unstructuredName=An optional company name
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1836 bytes and written 300 bytes
Verification error: self signed certificate
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
   Session-ID: FD434D881FC22619712B21C9441BA070EB5C58E46B3AACAC2C7F308F715D8CA9
   Session-ID-ctx: 
   Master-Key: 8C578CA3C98E7D50AEE9E6B5BA4D7B52A23EF3EC994AC3769BEB27AE8A46C299C2B2C4A7A948E3544F9A7C43C39C05B6
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1555044175
   Timeout   : 7200 (sec)
   Verify return code: 18 (self signed certificate)
   Extended master secret: no
---
closed

example of server NOT supporting tls 1.1 

$openssl s_client -connect 192.168.1.3:443 -tls1_1
CONNECTED(00000003)
139705052063104:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:932:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 79 bytes and written 109 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
   Session-ID: 
   Session-ID-ctx: 
   Master-Key: 
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1555043268
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
   Extended master secret: no
---
Retrieved from "http://www.thelinuxwiki.com/index.php?title=tls_version_check&oldid=1237"