Linux how to check if webserver supports TLS 1.0/1.1/1.2/1.3

As of the time of writing, TLS 1.0 and 1.1 are not deemed safe anymore and prone to mane-in-the-middle attacks. It is recommended to only support TLS 1.2+.

On Linux you can check if your webserver accepts TLS 1.0 or TLS 1.1 via the following command:

Check TLS 1.0 / 1.1 / 1.2 / 1.3

openssl s_client -connect lanedirt.tech:443 -tls1 # tls 1.0
openssl s_client -connect lanedirt.tech:443 -tls1_1 # tls 1.1
openssl s_client -connect lanedirt.tech:443 -tls1_2 # tls 1.2
openssl s_client -connect lanedirt.tech:443 -tls1_3 # tls 1.3

If the server does NOT support the tested TLS version, you should get a message like follows which states “no peer certificate available”.

CONNECTED(00000003)
140295707531072:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---

If the server DOES support the tested TLS version, you will get a different message which shows the SSL certificate chain, like follows:

openssl s_client -connect lanedirt.tech:443 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = lanedirt.tech
verify return:1
---
Certificate chain
 0 s:CN = lanedirt.tech
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Published
Categorized as UNIX Shell

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.

1 comment

Leave a comment

Your email address will not be published.