Checking the SSL version on your Linux server helps you ensure your connection protocols are current. If you have ever wondered how to check ssl version in linux, you are in the right place. This guide walks you through multiple methods, from simple commands to deeper inspections, so you can verify your SSL/TLS setup quickly.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are critical for encrypting data. Knowing your current version helps you spot outdated protocols like SSLv2 or SSLv3, which are vulnerable. Let’s get started with the most common approaches.
Why Check SSL Version On Linux
Before jumping into commands, understand why this matters. Older SSL versions have known security flaws. For example, SSLv3 is susceptible to the POODLE attack. By checking, you can disable weak protocols and enforce modern ones like TLS 1.2 or 1.3.
Linux servers often run web servers like Apache or Nginx. But you can check SSL version without touching config files. The methods below work on most distributions, including Ubuntu, CentOS, and Debian.
How To Check Ssl Version In Linux
This section covers the primary techniques. Use the one that fits your situation best. All commands assume you have terminal access with sudo or root privileges if needed.
Using OpenSSL Command
OpenSSL is the most common tool. It comes pre-installed on most Linux systems. To check the SSL version your system supports, run:
openssl versionThis shows the OpenSSL library version, which includes the highest TLS version it supports. For example, output like “OpenSSL 1.1.1k 25 Mar 2021” means it supports up to TLS 1.2. Newer versions like 3.0+ support TLS 1.3.
To see all available protocols, use:
openssl ciphers -v | awk '{print $2}' | sort -uThis lists protocol versions like TLSv1, TLSv1.2, etc. If you see SSLv3, your system is outdated.
Checking SSL Version For A Remote Server
To check what SSL version a remote server uses, connect with OpenSSL. For example:
openssl s_client -connect example.com:443 -tls1_2Replace “example.com” with your target domain. The “-tls1_2” flag forces TLS 1.2. If the connection succeeds, the server supports it. Try other versions like “-tls1_3” or “-ssl3” to see what is enabled.
You can also use a simpler command to see the negotiated version:
openssl s_client -connect example.com:443 2>/dev/null | grep "Protocol"This returns something like “Protocol : TLSv1.2”.
Using Nmap For SSL Version Scanning
Nmap is a network scanner that can check SSL versions. Install it first if missing:
sudo apt install nmap # Debian/Ubuntu
sudo yum install nmap # CentOS/RHELThen run:
nmap --script ssl-enum-ciphers -p 443 example.comThis script enumerates all supported SSL/TLS versions and ciphers. The output clearly lists each version and its strength. It is ideal for auditing.
Checking Local Web Server Configuration
If you run Apache, check the SSLProtocol directive. Look in your config files:
grep -i sslprotocol /etc/apache2/*.confOr for Nginx:
grep -i ssl_protocols /etc/nginx/nginx.confThese show what protocols your server allows. For example, “SSLProtocol all -SSLv2 -SSLv3” means only TLS versions are enabled.
Using Curl To Check SSL Version
Curl can also reveal SSL version info. Use the verbose flag:
curl -vI https://example.com 2>&1 | grep "SSL"This shows the TLS version used during the handshake. It is quick for a single check.
Interpreting The Results
Once you have output, understand what is good. Modern servers should support TLS 1.2 and 1.3. Avoid SSLv2, SSLv3, and TLS 1.0/1.1 if possible. These are deprecated by major browsers and security standards.
If you see only older versions, update your OpenSSL library or web server configuration. For example, on Ubuntu, run:
sudo apt update && sudo apt upgrade opensslThen restart your web server.
Automating SSL Version Checks
For regular audits, write a simple script. Here is a bash example:
#!/bin/bash
SERVER="example.com"
for ver in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
result=$(openssl s_client -connect $SERVER:443 -"$ver" 2>/dev/null)
if echo "$result" | grep -q "Protocol"; then
echo "$ver: Supported"
else
echo "$ver: Not supported"
fi
doneSave it, make executable with chmod +x, and run it. This gives a clear list of supported versions.
Common Issues When Checking SSL Version
Sometimes commands fail. Here are fixes:
- Connection refused: Ensure the service is running and port 443 is open.
- OpenSSL not found: Install it via your package manager.
- Permission denied: Use sudo for system-level checks.
- Timeout: Check network connectivity or firewall rules.
If you get “no peer certificate available”, the server may not support SSL on that port. Double-check the URL.
Using GUI Tools For SSL Version
If you prefer graphical tools, try GnuTLS or Qualys SSL Labs. But for Linux servers, command line is faster. However, you can install a GUI like “openssl-gui” if needed. Most admins stick with terminal.
For a quick online check, visit SSL Labs and enter your domain. It gives a detailed report including SSL version support. But that requires internet access.
Best Practices For SSL Version Management
After checking, take action:
- Disable SSLv2 and SSLv3 immediately.
- Disable TLS 1.0 and 1.1 if your clients support newer versions.
- Enable TLS 1.2 and 1.3 only.
- Update OpenSSL regularly.
- Test after changes with the same commands.
Remember that some old clients (like ancient browsers) may break. But security trumps compatibility in most cases.
Checking SSL Version For Specific Services
Different services may use different SSL libraries. For example, PostgreSQL uses its own SSL implementation. Check its version with:
psql -c "SHOW ssl_version;"For MySQL/MariaDB:
mysql -e "SHOW VARIABLES LIKE '%ssl%';"For SSH (which uses SSL-like encryption), check with:
ssh -VEach service may have its own method. Always refer to the documentation.
Understanding OpenSSL Version Output
The “openssl version” command shows the library version, not necessarily the protocol version. For example, OpenSSL 1.0.2 supports TLS 1.2, while 1.1.1 supports TLS 1.3. To see exact protocol support, use:
openssl ciphers -v | grep -E "TLS|SSL" | head -10This lists ciphers with their protocol. If you see “TLSv1.3”, your library supports it.
Checking SSL Version Without Root Access
If you are a regular user, you can still check. Most commands work without sudo. For example:
openssl versionWorks as any user. For remote checks, no special permissions needed. Only config file inspection may require root.
Using Python To Check SSL Version
Python’s ssl module can help. Run:
python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"This shows the OpenSSL version used by Python. You can also check supported protocols:
python3 -c "import ssl; print(ssl.OPENSSL_VERSION_INFO)"This gives a tuple like (1, 1, 1, 0, 0).
Checking SSL Version In Docker Containers
Inside a Docker container, use the same commands. But ensure OpenSSL is installed. For example:
docker exec -it container_name openssl versionOr enter the container first. The results reflect the container’s library, not the host.
Frequently Asked Questions
What is the easiest way to check SSL version in Linux?
The easiest is using “openssl version” in the terminal. It shows the library version, which indicates supported protocols.
How do I check if TLS 1.2 is enabled on my Linux server?
Use “openssl s_client -connect localhost:443 -tls1_2”. If it connects, TLS 1.2 is enabled. Also check your web server config.
Can I check SSL version for a remote website?
Yes, use “openssl s_client -connect example.com:443” and look for the “Protocol” line. Or use nmap with the ssl-enum-ciphers script.
Why does my Linux server still show SSLv3?
It may have an old OpenSSL version or misconfigured web server. Update OpenSSL and check your SSLProtocol settings.
How do I disable weak SSL versions on Linux?
Edit your web server config. For Apache, set “SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1”. For Nginx, set “ssl_protocols TLSv1.2 TLSv1.3;”. Then restart the service.
Final Thoughts On SSL Version Checking
Now you know multiple ways to check SSL version on Linux. Start with “openssl version” for a quick library check. Use “openssl s_client” for remote servers. Automate with scripts for regular audits. Keep your protocols up to date to stay secure.
Remember, security is an ongoing process. Check your SSL version periodically, especially after updates. If you find outdated protocols, disable them promptly. Your server and users will thank you.
That covers everything you need about how to check ssl version in linux. Practice these commands on your own system. With time, it becomes second nature. Stay safe out there.