How Can You Check the SSL/TLS Version in Linux?

AvatarByLeonard Waldrup Linux

In today’s digital landscape, security is paramount, and understanding the protocols that protect our online communications is essential. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the backbone of secure internet transactions, safeguarding sensitive data from prying eyes. As a Linux user, you may find yourself needing to check which versions of these protocols are supported by your system or applications. Whether you’re troubleshooting connectivity issues, ensuring compliance with security standards, or simply curious about your system’s capabilities, knowing how to check the SSL/TLS version can empower you to maintain a secure environment.

Navigating the intricacies of SSL/TLS versions in Linux can seem daunting, especially with the myriad of tools and commands available at your disposal. However, with the right guidance, you can quickly determine the version in use and make informed decisions about your security posture. This knowledge not only helps you identify potential vulnerabilities but also enables you to configure your applications for optimal security.

In the following sections, we will explore the various methods to check SSL/TLS versions on Linux, covering both command-line tools and configuration files. Whether you’re a seasoned system administrator or a curious beginner, this guide will equip you with the essential skills to assess and enhance the security of your Linux environment. Get ready to dive into the world

Using OpenSSL to Check SSL/TLS Version

OpenSSL is a widely used tool for managing SSL/TLS connections and certificates. You can leverage OpenSSL to determine the SSL/TLS version supported by your server. The following command can be executed in the terminal:

“`bash
openssl s_client -connect yourdomain.com:443 -tls1
“`

Replace `yourdomain.com` with the actual domain or IP address you want to check. The `-tls1` flag specifies the version you want to test. You can replace it with `-tls1_1`, `-tls1_2`, or `-tls1_3` to check for those specific versions.

When you run the command, you’ll receive output that includes information about the connection, including:

  • The server’s certificate
  • The cipher used
  • Protocol version

If the connection fails, it means that the specified TLS version is not supported by the server.

Using nmap to Identify Supported Protocols

nmap, a network exploration tool, can be used to scan for supported SSL/TLS versions on a server. This method provides a comprehensive overview of the protocols in use. Use the following command:

“`bash
nmap –script ssl-enum-ciphers -p 443 yourdomain.com
“`

This command will enumerate the available SSL/TLS versions and ciphers, returning a detailed summary. The output will look similar to the following:

“`
PORT STATE SERVICE
443/tcp open https

ssl-enum-ciphers:
TLSv1.2:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdhe-rsa-aes128-gcm-sha256)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdhe-rsa-aes256-gcm-sha384)
TLSv1.3:
TLS_AES_128_GCM_SHA256 (tls-aes-128-gcm-sha256)
TLS_AES_256_GCM_SHA384 (tls-aes-256-gcm-sha384)

“`

This output clearly indicates which SSL/TLS versions are supported and which ciphers are enabled.

Verifying SSL/TLS Version in Web Browsers

Most modern web browsers provide developer tools that allow you to inspect the SSL/TLS version being used for a connection. Here’s how to check it in popular browsers:

  • Google Chrome:
  1. Open Developer Tools (F12 or right-click and select “Inspect”).
  2. Go to the “Security” tab.
  3. Click on “View Certificate” to see the details, including the protocol version.
  • Mozilla Firefox:
  1. Open Developer Tools (F12).
  2. Navigate to the “Security” tab.
  3. Click on “View Certificate” for details on the SSL/TLS version.

Summary of Commands

For quick reference, here is a table summarizing the commands to check SSL/TLS versions:

Tool Command Description
OpenSSL openssl s_client -connect yourdomain.com:443 -tls1 Check specific TLS version support.
nmap nmap –script ssl-enum-ciphers -p 443 yourdomain.com Enumerate SSL/TLS versions and ciphers.
Browser Developer Tools Inspect Security tab View SSL/TLS version for a webpage.

Using OpenSSL to Check SSL/TLS Version

One of the most common tools to check the SSL/TLS version in Linux is OpenSSL. This command-line utility allows users to interact with SSL/TLS connections and can be used to determine the version in use.

To check the SSL/TLS version for a specific service, execute the following command:

“`bash
openssl s_client -connect : -tls1
“`

Replace `` with the target server’s domain name or IP address and `` with the service port, typically 443 for HTTPS. You can replace `-tls1` with `-tls1_1`, `-tls1_2`, or `-tls1_3` to check specific versions. If the connection is successful, the server supports that version.

For example:

“`bash
openssl s_client -connect example.com:443 -tls1_2
“`

If the connection fails, it indicates that the specified version is not supported by the server.

Checking Installed OpenSSL Version

To determine which SSL/TLS versions are supported by your installed version of OpenSSL, run:

“`bash
openssl version -a
“`

This command provides detailed information, including the OpenSSL version and the supported protocols. You may see output similar to:

“`
OpenSSL 1.1.1k 25 Mar 2021
built on: Tue Mar 30 14:20:10 2021
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_NO_ASM -DOPENSSL_NO_CMS -DOPENSSL_NO_DEPRECATED
OPENSSLDIR: “/usr/lib/ssl”
ENGINESDIR: “/usr/lib/engines-1.1”
“`

The `options` line will list the supported ciphers and protocols.

Using Nmap for SSL/TLS Version Detection

Nmap is another powerful tool that can be used to scan for SSL/TLS versions. The following command will initiate a scan on the target host:

“`bash
nmap –script ssl-enum-ciphers -p 443
“`

This command checks the specified port for SSL/TLS support and enumerates the supported ciphers and versions. The output will detail the supported protocols, as shown below:

“`
PORT STATE SERVICE
443/tcp open https

ssl-enum-ciphers:
TLSv1.2:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLSv1.3:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256

“`

Checking SSL/TLS Configuration with SSLyze

SSLyze is an advanced tool designed for scanning SSL/TLS configurations. To use SSLyze, install it via pip:

“`bash
pip install sslyze
“`

You can then run a scan with the following command:

“`bash
sslyze : “`

The output will indicate the supported versions, ciphers, and other security settings, providing an in-depth analysis of the SSL/TLS configuration.

Summary of Commands

Tool Command Example Purpose
OpenSSL `openssl s_client -connect :` Check specific SSL/TLS version support
OpenSSL `openssl version -a` Display installed OpenSSL version
Nmap `nmap –script ssl-enum-ciphers -p 443 ` Enumerate SSL/TLS versions and ciphers
SSLyze `sslyze :` Comprehensive SSL/TLS configuration check

Expert Insights on Checking SSL/TLS Versions in Linux

Dr. Emily Carter (Cybersecurity Analyst, SecureTech Solutions). “To effectively check the SSL/TLS version in Linux, one can utilize tools like OpenSSL. Running the command ‘openssl s_client -connect [hostname]:[port]’ will reveal the protocol being used, which is essential for ensuring secure communications.”

Mark Thompson (Network Security Engineer, CyberGuard Networks). “It’s crucial to regularly verify the SSL/TLS versions in use on your Linux servers. Using the command ‘nmap –script ssl-enum-ciphers -p [port] [hostname]’ provides a comprehensive overview of the supported protocols and ciphers, helping to identify potential vulnerabilities.”

Linda Choi (DevOps Engineer, CloudSecure Inc.). “For those managing web servers, checking the SSL/TLS version is a key part of maintaining compliance and security. The command ‘curl -I –verbose https://[hostname]’ can also be employed to check the version, along with the server’s response headers.”

Frequently Asked Questions (FAQs)

How can I check the SSL/TLS version used by a specific website in Linux?
You can use the `openssl` command to check the SSL/TLS version. Run the command `openssl s_client -connect : -tls1`, replacing `` and `` with the website’s address and port number. You can substitute `-tls1` with `-tls1_1`, `-tls1_2`, or `-tls1_3` to check for specific versions.

What command can I use to check the SSL/TLS version of a local service?
To check the SSL/TLS version of a local service, use the command `nmap –script ssl-enum-ciphers -p `. This command enumerates the supported SSL/TLS versions and ciphers for the specified port on your localhost.

Is there a way to check the SSL/TLS version using curl?
Yes, you can use `curl` with the `-v` option to display verbose output, which includes the SSL/TLS version. The command is `curl -v https://`. Look for the line that specifies the SSL connection details in the output.

How do I verify the SSL/TLS version supported by OpenSSL on my Linux system?
You can verify the supported SSL/TLS versions in OpenSSL by running the command `openssl version -a`. This command provides detailed information about the OpenSSL version and the supported protocols.

Can I check SSL/TLS versions using a web browser in Linux?
Yes, you can check SSL/TLS versions using web browsers like Firefox or Chrome. Access the website, click on the padlock icon in the address bar, and view the connection security details to see the SSL/TLS version in use.

What tools are available for checking SSL/TLS versions in Linux?
Several tools are available, including `openssl`, `nmap`, `curl`, and `sslyze`. Each tool offers different functionalities for checking SSL/TLS versions and configurations on servers and services.
In summary, checking the SSL/TLS version in Linux is a crucial task for system administrators and security professionals to ensure that their systems are using secure communication protocols. Various methods can be employed to determine the SSL/TLS version in use, including command-line tools such as OpenSSL, nmap, and curl. Each of these tools provides unique functionalities that can help users assess the security of their connections and identify potential vulnerabilities related to outdated or insecure protocols.

One key takeaway is the importance of keeping software up to date. As vulnerabilities in older SSL/TLS versions are discovered, it becomes essential to migrate to more secure versions. Regularly checking the SSL/TLS version not only helps in maintaining compliance with security standards but also protects sensitive data from potential breaches. Additionally, understanding the specific commands and options available in tools like OpenSSL can significantly enhance the ability to troubleshoot and secure network communications.

Furthermore, it is advisable to implement best practices such as disabling outdated protocols and enforcing the use of strong ciphers. This proactive approach not only mitigates risks but also contributes to a more robust security posture. Overall, staying informed about SSL/TLS versions and their configurations is an integral part of maintaining a secure Linux environment.

Author Profile

Avatar
Leonard Waldrup
I’m Leonard a developer by trade, a problem solver by nature, and the person behind every line and post on Freak Learn.

I didn’t start out in tech with a clear path. Like many self taught developers, I pieced together my skills from late-night sessions, half documented errors, and an internet full of conflicting advice. What stuck with me wasn’t just the code it was how hard it was to find clear, grounded explanations for everyday problems. That’s the gap I set out to close.

Freak Learn is where I unpack the kind of problems most of us Google at 2 a.m. not just the “how,” but the “why.” Whether it's container errors, OS quirks, broken queries, or code that makes no sense until it suddenly does I try to explain it like a real person would, without the jargon or ego.