How to check supported TLS and SSL version?


You should use these commands set to check supported  SSL and  TLS ciphers. Also, I added some useful information about send  HTTPS requests to a  server.

  • Check supported SSL and  TLS version with  "nmap"  command.
# nmap --script ssl-enum-ciphers -p 443 www.google.com

Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-10 11:15 +03
Nmap scan report for www.google.com (216.58.208.100)
Host is up (0.012s latency).
rDNS record for 216.58.208.100: sof01s11-in-f100.1e100.net
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 7.03 seconds
  • Check  if system accept  SSL3  request  with  "openssl"  command. As  you see command  failed  for  SSL3  when we check google  page. Also  you can  test  it  with TLS1  . It will accept  TLS1  connection.
# openssl s_client -connect www.google.com:443 -ssl3
CONNECTED(00000003)
139946845312928:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1502352980
Timeout : 7200 (sec)
Verify return code: 0 (ok)

 

#openssl s_client -connect www.google.com:443 -tls1
#openssl s_client -connect www.google.com:443 -tls1_1
#openssl s_client -connect www.google.com:443 -tls1_2
#openssl s_client -connect www.google.com:443 -dtls1
  • Check certificate  information . Also you can  write script to  monitor certificate  expire  date. I  added some  command  to check  information about certificate.
Get CN  information
#echo | openssl s_client -connect $iP:$PORT_NUMBER  2>/dev/null | openssl x509 -noout -subject|awk -F "/" '{print $NF}'
Get Issuer information
#echo | openssl s_client -connect $iP:$PORT_NUMBER  2>/dev/null | openssl x509 -noout -issuer
Get Expire date
#echo | openssl s_client -connect $i:$PORT_NUMBER  2>/dev/null | openssl x509 -noout -enddate|cut  -d  '='  -f  2,2

 

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me

0 Comments

Leave a Reply