Skip to main content

How to see if a website supports each TLS version in command line

This is a quick post about checking TLS version support using the command line. Of course, there are plenty of GUI tools and online services to do this. Yet, I find it is much easier to use just a simple command to check this.

I'm going to use badssl.com to test this out since it provides various examples with different SSL configurations.

We'll be using openssl command to check this. Openssl is a command-line tool to work with SSL connections. If you don't have it in your machine, you'll have to install it first.

Let's check a website that supports TLS1.0
TLS 1.0 has been deprecated by all web browsers and servers due to security vulnerabilities in that protocol version which you shouldn't use at all. If you have this enabled in your sever/website, please disable ASAP.

 openssl s_client -connect tls-v1-0.badssl.com:1010 -tls1

 Let's break the command to it's parts

 openssl : command line tool
s_client : s_client is the first command of this tool that we are executing.
                This is used to make a connection with a server using SSL.
-connect : command option to specify where to connect which follows by the server and the port
tls-v1-0.badssl.com : this is the website or the server name
1010 : this is the port which HTTPS is enabled. Usually this is 443 standard port.
-tls1 : this is to enforce TLS1.0 version to make the connection
If we are using the same command for google.com it would be like;

openssl s_client -connect google.com:443 -tls1

Note the website I'm checking right now is tls-v1-0.badssl.com and the port is 1010 in a typical website this port will be 443 since it is the HTTPS standard port.

If the site is TLS1.0 enabled, it should give an output with a proper HTTPS connection printing out the server certificate and a session ticket.

eg:



If tls1.0 doesn't support it should be something like below. I'll use a random website (moby.lk) to test this out.


Here's the full list of commands to check each TLS version (by the time I'm writing this). Please note that newer OpenSSL versions no longer support SSLv3 since it is discontinued.
SSL/TLS versionCommand
TLS 1.0openssl s_client -connect google.com:443 -tls1
TLS 1.1openssl s_client -connect google.com:443 -tls1_1
TLS 1.2openssl s_client -connect google.com:443 -tls1_2
TLS 1.3openssl s_client -connect google.com:443 -tls1_3
SSLV3openssl s_client -connect google.com:443 -ssl3


Stay safe!
Labels:

Comments

Post a Comment

Popular posts from this blog

Install Docker on Windows 11 with WSL Ubuntu 22.04

This is to install Docker within Ubuntu WSL without using the Windows Docker application. Follow the below steps. Install Ubuntu 22.04 WSL 1. Enable Windows Subsystem for Linux and Virtual Machine platform Go to Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off 2. Switch to WSL 2 Open Powershell and type in the below command. wsl --set-default-version 2 If you don't have WSL 2, download the latest WSL 2 package and install it.  3. Install Ubuntu Open Microsoft Store and search for Ubuntu. Select the version you intend to install. I'd use the latest LTS version Ubuntu 22.04. Click on the Get button. It will take a couple of minutes to download and install. 4. Open up the installed Ubuntu version that was installed. If you get an error like the below image, make sure to install the WSL2 Kernel update .  If it's an older Ubuntu version the error message would be something like the image below. Error: WSL 2 requires an update to its
1 comment
Read more

How to fix SSLHandshakeException PKIX path building failed in Java

TL ; DR 1. Extract the public certificate of the website/API that you are trying to connect from your Java application. Steps are mentioned in this post 2. Use the Java keytool to install the extracted certificate into the "cacerts" file (Trust store) keytool -import -trustcacerts -alias <domain name> -file <public certificate>.cert -keystore /path_to_java_home/jre/lib/security/cacerts -storepass changeit 3. Restart your Java application Exception A typical exception stack trace would look like below. javax.net.ssl. SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshake
Post a Comment
Read more

Automatically open Chrome developer tools in a new tab

Sometimes we need to check the console or the network transactions of a link that opens up in a new tab. By default, the Chrome developer tools are not opening in a new tab. So, by the time when we hit F12 and open the dev tools, part of the information we needed could be already gone.  There's a setting in dev tools where you can keep the dev tools open automatically in a new tab. To enable that, hit F12 and open up the dev tools. Click on the settings icon in the top right corner. In the Preferences section, scroll down to the bottom. You'll be able to find the option to Auto-open DevTools for popups. Select the checkbox and we're good to go!
Post a Comment
Read more