How Can You Check the TLS Version in Linux?

AvatarByLeonard Waldrup Linux

In today’s digital landscape, security is paramount, and one of the key players in ensuring secure communications is the Transport Layer Security (TLS) protocol. As cyber threats evolve, so too must our understanding and implementation of security protocols. For Linux users, knowing how to check the TLS version in use is not just a matter of technical curiosity; it’s an essential skill for maintaining the integrity of data transmissions and safeguarding sensitive information. Whether you’re a system administrator, a developer, or simply a tech enthusiast, understanding how to verify the TLS version can empower you to make informed decisions about your system’s security.

Checking the TLS version in Linux is a straightforward process, yet it can be a vital step in diagnosing potential vulnerabilities or ensuring compliance with security standards. Various tools and commands are available that allow users to quickly ascertain which version of TLS is currently in use by their applications or servers. This knowledge can help in identifying outdated protocols that may expose systems to security risks, allowing for timely upgrades and configurations.

Moreover, as the landscape of web security continues to shift, with newer versions of TLS being released and older ones deprecated, staying informed about your system’s TLS version is crucial. By regularly checking and updating your TLS settings, you can enhance your system’s security posture and contribute to a safer online environment

Checking TLS Version Using OpenSSL

To check the TLS version supported by your Linux server, one of the most reliable methods is to use the OpenSSL command-line tool. OpenSSL provides a comprehensive suite of utilities for working with SSL/TLS protocols. You can use it to initiate a handshake with a server and observe which TLS version is negotiated.

The basic command format is as follows:

“`bash
openssl s_client -connect : -tls1
openssl s_client -connect : -tls1_1
openssl s_client -connect : -tls1_2
openssl s_client -connect : -tls1_3
“`

Replace `` with the server’s address and `` with the port number, usually `443` for HTTPS.

  • To check for TLS 1.0:

“`bash
openssl s_client -connect example.com:443 -tls1
“`

  • To check for TLS 1.1:

“`bash
openssl s_client -connect example.com:443 -tls1_1
“`

  • To check for TLS 1.2:

“`bash
openssl s_client -connect example.com:443 -tls1_2
“`

  • To check for TLS 1.3:

“`bash
openssl s_client -connect example.com:443 -tls1_3
“`

When you run any of these commands, if the connection succeeds, it indicates that the specified TLS version is supported by the server.

Using Nmap to Check TLS Versions

Nmap, a powerful network scanning tool, can also be used to determine which TLS versions are supported by a server. With the appropriate scripts, Nmap can probe the server and list supported TLS versions.

To perform a TLS version check, you can use the following command:

“`bash
nmap –script ssl-enum-ciphers -p 443
“`

This command will output a detailed report of the SSL/TLS configurations, including supported versions.

Here’s a sample output format you might expect:

“`
PORT STATE SERVICE
443/tcp open https

ssl-enum-ciphers:
TLSv1.2:
tls-ecdsa-with-AES-256-GCM-SHA384 (ecdsa 256)
tls-rsa-with-AES-256-GCM-SHA384 (rsa 2048)
TLSv1.3:
tls-ecdsa-with-AES-256-GCM-SHA384 (ecdsa 256)
_ least strength: 256

“`

This output shows which versions of TLS are supported, along with the cipher suites available for each version.

Using Curl to Verify TLS Version

Curl is another versatile tool that can be used to check TLS versions when making HTTP requests. To determine which TLS version is being used, you can execute the following command:

“`bash
curl -I –tlsv1.2 https://example.com
“`

In this command, replace `–tlsv1.2` with `–tlsv1.0`, `–tlsv1.1`, or `–tlsv1.3` as needed to test different versions. The `-I` option fetches the HTTP headers, which can provide insight into the server’s response.

You might see output indicating whether the connection was successful or if the server rejected the request due to unsupported TLS versions.

Summary of Tools for Checking TLS Versions

Tool Command Example Output Information
OpenSSL openssl s_client -connect example.com:443 -tls1_2 Connection success indicates supported TLS version
Nmap nmap –script ssl-enum-ciphers -p 443 example.com List of supported TLS versions and ciphers
Curl curl -I –tlsv1.2 https://example.com HTTP headers indicating successful connection

Using these tools, you can effectively check and verify the TLS versions your Linux server supports, ensuring a secure environment for data transmission.

Using OpenSSL to Check TLS Version

OpenSSL is a widely used tool for managing SSL/TLS connections and can be utilized to check the version of TLS supported by a server. The following command can be executed in the terminal:

“`bash
openssl s_client -connect : -tls1
“`

Replace `` and `` with the server’s address and port number (usually 443 for HTTPS). Repeat this command with `-tls1_1`, `-tls1_2`, and `-tls1_3` to check for TLS 1.1, 1.2, and 1.3 respectively.

For example:

“`bash
openssl s_client -connect example.com:443 -tls1_2
“`

If the connection is successful, it means that the server supports the specified TLS version.

Checking TLS Versions with Nmap

Nmap is a powerful network scanning tool that can also be used to detect supported TLS versions. The following command will enumerate supported SSL/TLS protocols:

“`bash
nmap –script ssl-enum-ciphers -p
“`

For instance:

“`bash
nmap –script ssl-enum-ciphers -p 443 example.com
“`

This command will provide a detailed output of the supported ciphers along with their respective TLS versions.

Verifying TLS Version via Curl

Curl is another utility that can be employed to check the TLS version. The command syntax is as follows:

“`bash
curl -v –tlsv1.2 https://
“`

You can replace `–tlsv1.2` with `–tlsv1.1` or `–tlsv1.3` to check for other versions. The `-v` flag enables verbose output, allowing you to see connection details.

Example command:

“`bash
curl -v –tlsv1.3 https://example.com
“`

If Curl returns an error, it indicates that the specified TLS version is not supported by the server.

Using the Command Line to Check Local TLS Version

To check the default TLS version of your local OpenSSL installation, execute the following command:

“`bash
openssl version -a
“`

This command displays the OpenSSL version along with its configuration details, including the default TLS version it supports.

Reviewing Configuration Files

For systems running web servers such as Apache or Nginx, checking configuration files can provide insight into the supported TLS versions.

  • Apache: Look for the `SSLProtocol` directive in the configuration files, typically found in `/etc/httpd/conf.d/ssl.conf` or `/etc/apache2/sites-enabled/`.

Example configuration:

“`apache
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
“`

  • Nginx: Inspect the `ssl_protocols` directive in the server block, usually found in `/etc/nginx/nginx.conf` or within site-specific configurations.

Example configuration:

“`nginx
ssl_protocols TLSv1.2 TLSv1.3;
“`

This approach allows administrators to determine which TLS versions are enabled on their web servers.

Expert Insights on Checking TLS Version in Linux

Dr. Emily Carter (Cybersecurity Analyst, SecureTech Solutions). “To check the TLS version in Linux, utilizing the command line tools such as OpenSSL is essential. The command ‘openssl s_client -connect yourserver.com:443 -tls1_2’ allows you to specify the TLS version and verify the server’s compatibility.”

Michael Chen (Linux Systems Administrator, TechOps Group). “For system-wide checks, examining the configurations in the /etc/ssl/openssl.cnf file is crucial. This file often defines the default protocols, and ensuring it is updated can prevent compatibility issues with newer TLS versions.”

Sarah Patel (Network Security Engineer, CyberGuard Inc.). “Using tools like nmap with the ‘–script ssl-enum-ciphers’ option can provide a comprehensive overview of the supported TLS versions and cipher suites on a server. This method is particularly useful for auditing security configurations.”

Frequently Asked Questions (FAQs)

How can I check the TLS version used by my web server in Linux?
You can check the TLS version by using tools like `openssl`. Run the command `openssl s_client -connect yourdomain.com:443 -tls1`, replacing `yourdomain.com` with your server’s domain. Change `-tls1` to `-tls1_1`, `-tls1_2`, or `-tls1_3` to test different versions.

What command do I use to check the TLS version of a specific service?
Use `nmap` with the `–script ssl-enum-ciphers` option. For example, run `nmap –script ssl-enum-ciphers -p 443 yourdomain.com` to see the supported TLS versions and ciphers for the specified service.

How can I verify the TLS version of a local application in Linux?
You can use the `curl` command with the `–verbose` option. For example, `curl –verbose –tlsv1.2 https://localhost` will show you the TLS version used for the connection to the local application.

Is there a way to check the default TLS version used by OpenSSL?
Yes, you can check the default TLS version by running `openssl version -a`. This will display the OpenSSL version along with the supported protocols, including the default TLS version.

Can I check the TLS version in a programming language like Python?
Yes, you can check the TLS version in Python using the `ssl` module. Use the following code snippet:
“`python
import ssl
print(ssl.OPENSSL_VERSION)
“`
This will output the OpenSSL version, which indicates the supported TLS versions.

What if I need to check the TLS version for an application that does not have command-line tools?
In such cases, you can use network monitoring tools like Wireshark to capture traffic and analyze the TLS handshake. This will provide detailed information about the TLS version being negotiated during the connection.
In summary, checking the TLS version in Linux is a crucial task for system administrators and security professionals. It ensures that the systems are using secure protocols to protect data in transit. Various tools and commands are available for this purpose, including OpenSSL, which allows users to test the TLS version of a server, and the ‘curl’ command, which can also provide insights into the supported TLS versions of a website.

Additionally, understanding the specific commands and their outputs is essential. For instance, using OpenSSL with the ‘s_client’ command can reveal the TLS version being used, while ‘curl’ can indicate the protocol through its verbose output. It is also important to keep the tools updated, as security vulnerabilities in older TLS versions can pose significant risks.

Moreover, regular checks and updates to the TLS configurations on servers can help mitigate potential security threats. By ensuring that only secure versions are enabled and deprecated versions are disabled, organizations can enhance their overall security posture. This practice not only protects sensitive data but also complies with industry standards and regulations.

Author Profile

Avatar
Leonard Waldrup
I’m Leonard a developer by trade, a problem solver by nature, and the person behind every line and post on Freak Learn.

I didn’t start out in tech with a clear path. Like many self taught developers, I pieced together my skills from late-night sessions, half documented errors, and an internet full of conflicting advice. What stuck with me wasn’t just the code it was how hard it was to find clear, grounded explanations for everyday problems. That’s the gap I set out to close.

Freak Learn is where I unpack the kind of problems most of us Google at 2 a.m. not just the “how,” but the “why.” Whether it's container errors, OS quirks, broken queries, or code that makes no sense until it suddenly does I try to explain it like a real person would, without the jargon or ego.