Testing server for TLS 1.2 in Linux

Last updated on

To test a server for TLS 1.2 support, you can try these methods.

1. Using openssl

Run the following command in terminal:

openssl s_client -connect google.com:443 -tls1_2

If you get the certificate chain and the handshake like below you know the system in question supports TLS 1.2. If you see don’t see the certificate chain, and something similar to “handshake error” you know it does not support TLS 1.2. You can also test for TLS 1 or TLS 1.1 with -tls1 or tls1_1 respectively.

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA0nt67i+GAazJs4e+bBSMqB6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MjMyMTU5MDBaFw0x
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANLrc8IH2BP51XLhR6L2/IjRuNYcoj6UH58K
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASI.........
dl0=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3019 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DF39CB241F6580C6E6570E0E9827D7F8615A71A76359DB4F9D1B9D3AD
    Session-ID-ctx:
    Master-Key: 12E8FF788E15AAA2E95BE35C5864784B90ED5A9AE8352AFE98C7DCADB04E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502214066
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

2. Using nmap

Also you can list all supported ciphers using nmap.

sudo apt install nmap
nmap --script ssl-enum-ciphers -p 443 www.google.com

If it’s supported you’ll get something like this:

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL

3. Testing an Accepted cipher

We can also test for a particular cipher using openssl, in this case we are testing for the cipher ECDHE-RSA-AES256-SHA.

openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect google.com:443

If the cipher is supported, you will see a successful handshake:

CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIISDCCBzCgAwIBAgIIG03GHwUBFTowDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzI1MDgzOTU5WhcNMTcxMDE3MDgyNzAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAth5nKIa7
zyhvCvBPB3/WsqypXh/Kw9GUMfEcAm3SPJR8ahlyrqL8dOjoPlEXm2WceHDlMg3z
NDQ1Yuu9eghqXV/KRQuUbljxt/kqZZaL10Tl9E6yW+VQ0UnV9GoXcjz42k5FjBXR
kyYaBWxfmkRi0dlI...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4824 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: D29FD3C45A2FC4FFDD3720974F4C6973E4E4E93D59A3BCC1D9422A2102
    Session-ID-ctx:
    Master-Key: B6BF9E8EA130144B30E95F26B1CCA30E7F405EEB1F8F62EA8AECFDD1BA14AD40277B38C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 47 24 d0 7b 3a 9c 1d-8b b4 95 29 64 e1 35 bf   .G$.{:.....)d.5.
    0010 - 64 08 1d 07 b4 5a 0b 94-80 89 6c bf 5b 2a 18 34   d....Z....l.[*.4
    0020 - fe 61 8e c1 76 59 a6 55-86 2a 1b ed 06 35 af 65   .a..vY.U.*...5.e
    0030 - 9e 73 19 68 e6 c3 03 d2-ba 59 24 8e 19 e0 57 71   .s.h.....Y$...Wq
    0040 - 18 68 3e 40 aa cc 79 c4-d5 29 3d a2 f0 21 41 e8   .h>@..y..)=..!A.
    0050 - 4f b9 5a 9d 63 a4 7e 01-bf c3 cf 6a c6 1d 76 79   O.Z.c.~....j..vy
    0080 - 3b 5d bd fd 47 61 b2 5a-00 fb b7 29 ca fa b3 90   ;]..Ga.Z...)....
    0090 - 0f e0 b9 00 10 89 c4 31-cc b5 74 4c 21 4e ec ab   .......1..tL!N..
    00a0 - 39 15 fa 9b 1d 4c ea db-a4 c0 86 d1 31 bf 1d 3d   9....L......1..=
    00b0 - 64 ce 74 0f e7 ce 86 71-ef d0 bf b7 44 aa 20 6f   d.t....q....D. o
    00c0 - fc 35 48 c2 b5 6b 71 0d-39 a5 f1 92 0d 1d e7 5e   .5H..kq.9......^
    00d0 - e6 cd e6 0a f3                                    .....

    Start Time: 1502368379
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

4. Online Tools for SSL/TLS Testing

Let me know in the comments if this helped. Follow me on Twitter, Facebook and YouTube.

p.s. I increased my AdSense revenue by 68% using AI 🤖. Read my Ezoic review to find out how.

1 Star2 Stars3 Stars4 Stars5 Stars 4.67 (6 votes)

Leave a Reply

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

1 reply