Skip to main content

How to see if a website supports each TLS version in command line

This is a quick post about checking TLS version support using the command line. Of course, there are plenty of GUI tools and online services to do this. Yet, I find it is much easier to use just a simple command to check this.

I'm going to use badssl.com to test this out since it provides various examples with different SSL configurations.

We'll be using openssl command to check this. Openssl is a command-line tool to work with SSL connections. If you don't have it in your machine, you'll have to install it first.

Let's check a website that supports TLS1.0
TLS 1.0 has been deprecated by all web browsers and servers due to security vulnerabilities in that protocol version which you shouldn't use at all. If you have this enabled in your sever/website, please disable ASAP.

openssl s_client -connect tls-v1-0.badssl.com:1010 -tls1

Let's break the command to it's parts

openssl : command line tool
s_client : s_client is the first command of this tool that we are executing.
                This is used to make a connection with a server using SSL.
-connect : command option to specify where to connect which follows by the server and the port
tls-v1-0.badssl.com : this is the website or the server name
1010 : this is the port which HTTPS is enabled. Usually this is 443 standard port.
-tls1 : this is to enforce TLS1.0 version to make the connection


If we are using the same command for google.com it would be like;

openssl s_client -connect google.com:443 -tls1

Note the website I'm checking right now is tls-v1-0.badssl.com and the port is 1010 in a typical website this port will be 443 since it is the HTTPS standard port.

If the site is TLS1.0 enabled, it should give an output with a proper HTTPS connection printing out the server certificate and a session ticket.

eg:



If tls1.0 doesn't support it should be something like below. I'll use a random website (moby.lk) to test this out.


Here's the full list of commands to check each TLS version (by the time I'm writing this). Please note that newer OpenSSL versions no longer support SSLv3 since it is discontinued.


SSL/TLS versionCommand
TLS 1.0openssl s_client -connect google.com:443 -tls1
TLS 1.1openssl s_client -connect google.com:443 -tls1_1
TLS 1.2openssl s_client -connect google.com:443 -tls1_2
TLS 1.3openssl s_client -connect google.com:443 -tls1_3
SSLV3openssl s_client -connect google.com:443 -ssl3


Stay safe!

Comments

Popular posts from this blog

Java, how to create a list with a single element

 I wanted to create a Java List with a single element. Yet, I wanted to add more elements later. So, I was looking for a couple of ways to do this. So far there are multiple elegant ways to create a list with a single element with a one-liner. Not so much for a modifiable list though. Here's what I gathered so far. Followings are a few ways of creating a list with strictly a single entry. Can't add more elements. 1. Collections.singletonList() This returns an immutable list that cannot be modified or add more elements. // An immutable list containing only the specified object. List<String> oneEntryList = Collections. singletonList ( "one" ) ; oneEntryList.add( "two" ) ; // throws UnsupportedOperationException 2.  Arrays.asList() This returns a fixed-size list consisting of the number of elements provided as arguments. The number of elements provided would be an array hence the size is fixed to the length of the array. // Returns a fixed-size list List...

How to fix SSLHandshakeException PKIX path building failed in Java

TL ; DR 1. Extract the public certificate of the website/API that you are trying to connect from your Java application. Steps are mentioned in this post 2. Use the Java keytool to install the extracted certificate into the "cacerts" file (Trust store) keytool -import -trustcacerts -alias <domain name> -file <public certificate>.cert -keystore /path_to_java_home/jre/lib/security/cacerts -storepass changeit 3. Restart your Java application Exception A typical exception stack trace would look like below. javax.net.ssl. SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshake...

Ubuntu DNS issue fix DNS_PROBE_FINISHED_BAD_CONFIG

Issue  I've been playing with a VPN and somehow it messed up my DNS resolution configurations. Chrome gives  DNS_PROBE_FINISHED_BAD_CONFIG  error and can't ping google. So it seemed to be an issue with the DNS. Of course, restarting didn't fix it. I tried DNS lookup which gave me below. To make sure this is somehting to do with my DNS confgis, I ran the same by providing the google DNS servers.  It works, which means my default DNS is not working for some reason. To make sure this, ran the below command. systemd-resolve --status Output has an entry for DNS Servers, which was  ::1 Fix 1. Edit the file /etc/systemd/resolved.conf. sudo vi /etc/systemd/resolved.conf 2. Add new DNS entries. I added 2 google DNS and the cloudflare DNS sever. [Resolve] DNS=8.8.8.8 8.8.4.4 1.1.1.1 3. Restart the systemd-resolved and check the configuration is persisted in /run/systemd/resolve/resolv.conf file. sudo service systemd-resolved restart cat /run/systemd/resolve/resolv.co...