Verifying the TLS version on your Linux system ensures your encrypted connections meet current security standards. Knowing how to check TLS version in Linux is essential for system administrators and security professionals who need to confirm that services use safe cryptographic protocols.
Outdated TLS versions like 1.0 and 1.1 are vulnerable to attacks. Modern systems should run TLS 1.2 or 1.3. This guide shows you multiple ways to check the TLS version on your Linux machine.
Why Check Tls Version On Linux
Checking your TLS version helps you identify weak encryption. Many compliance standards require TLS 1.2 or higher. If your system still uses older versions, you risk data breaches.
You might also need to verify TLS support for specific applications like web servers, email servers, or databases. Regular checks keep your infrastructure secure.
How To Check Tls Version In Linux
The most direct way involves using command-line tools. Linux offers several utilities to inspect TLS capabilities of your system or remote servers.
Using Openssl To Check Tls Version
OpenSSL is the standard toolkit for SSL/TLS. Most Linux distributions include it by default.
Run this command to see the TLS versions your OpenSSL library supports:
openssl version -a
Look for the “built on” date and the list of supported protocols. You should see entries like “TLSv1.2” and “TLSv1.3”.
To check what TLS version a remote server uses, use:
openssl s_client -connect example.com:443 -tls1_2
Replace “example.com” with your target domain. The -tls1_2 flag forces TLS 1.2. If the connection succeeds, the server supports that version. Try with -tls1_3 to check TLS 1.3 support.
You can also test for older versions like -tls1 or -tls1_1 to see if they are still enabled.
Using Curl To Verify Tls Version
cURL is another handy tool. It can show you the TLS version used during a connection.
Run:
curl -v https://example.com
The verbose output includes a line like “SSL connection using TLSv1.3”. This tells you the negotiated TLS version.
To force a specific TLS version, use the –tlsv1.2 or –tlsv1.3 flags:
curl --tlsv1.2 https://example.com
If the server does not support that version, curl will show an error.
Using Nmap To Scan Tls Versions
Nmap is a network scanner that can probe TLS versions on remote services. Install it if needed:
sudo apt install nmap (Debian/Ubuntu) or sudo yum install nmap (RHEL/CentOS).
Then run:
nmap --script ssl-enum-ciphers -p 443 example.com
This script enumerates supported TLS versions and ciphers. The output lists each version and whether it is enabled.
Checking Local System Tls Support
To see what TLS versions your system’s libraries support, check the OpenSSL configuration:
openssl ciphers -v | awk '{print $2}' | sort -u
This shows the protocol versions for all available ciphers. You will see TLSv1.2, TLSv1.3, and possibly older ones.
For a more detailed view, look at the system’s crypto policies:
update-crypto-policies --show
On RHEL-based systems, this shows the current policy (e.g., DEFAULT, LEGACY, FUTURE). The policy determines which TLS versions are allowed.
Checking Web Server Tls Configuration
If you run a web server like Apache or Nginx, you can check its TLS settings directly in the configuration files.
For Apache, look for lines like:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
This disables older versions. The current enabled versions are those not prefixed with a minus sign.
For Nginx, check the ssl_protocols directive:
ssl_protocols TLSv1.2 TLSv1.3;
Restart the service after making changes.
Using Python To Check Tls Version
Python’s ssl module can also help. Write a simple script:
import ssl
print(ssl.OPENSSL_VERSION)
print(ssl.OPENSSL_VERSION_INFO)
Run it with python3 script.py. It shows the OpenSSL version and supported protocols.
To test a remote server:
import ssl, socket
context = ssl.create_default_context()
with socket.create_connection(('example.com', 443)) as sock:
with context.wrap_socket(sock, server_hostname='example.com') as ssock:
print(ssock.version())
This prints the negotiated TLS version.
Checking Tls Version On Different Linux Distributions
Commands work similarly across distributions, but package names and default tools may vary.
Ubuntu And Debian
Use apt to install missing tools:
sudo apt update && sudo apt install openssl curl nmap
OpenSSL is usually pre-installed. Check with openssl version.
Rhel And Centos
Use yum or dnf:
sudo yum install openssl curl nmap
On RHEL 8+, the default crypto policy might restrict older TLS versions. Check with update-crypto-policies --show.
Fedora
Similar to RHEL. Use dnf:
sudo dnf install openssl curl nmap
Fedora often ships with newer OpenSSL versions.
Arch Linux
Use pacman:
sudo pacman -S openssl curl nmap
Arch typically has the latest OpenSSL.
Automating Tls Version Checks
You can write a bash script to check multiple servers. Here is a simple example:
#!/bin/bash
for server in "$@"; do
echo "Checking $server"
openssl s_client -connect $server:443 -tls1_2 2>/dev/null | grep "SSL handshake"
done
Save it as check_tls.sh, make it executable (chmod +x check_tls.sh), and run it with server names as arguments.
For more comprehensive scanning, use nmap with the ssl-enum-ciphers script in a loop.
Common Issues When Checking Tls Version
Sometimes commands fail or give confusing output. Here are typical problems.
Connection Refused Or Timeout
If the server is not reachable, check firewall rules. Ensure port 443 is open. Use telnet example.com 443 to test basic connectivity.
Openssl Not Found
Install OpenSSL using your package manager. On minimal systems, it might be missing.
Unsupported Protocol Error
When you force a specific TLS version and get an error, the server likely does not support it. This is common when testing TLS 1.3 on older servers.
Nmap Script Not Working
Ensure nmap is up to date. The ssl-enum-ciphers script requires the nse-nmap package on some distributions.
Best Practices For Tls Version Management
After checking your TLS versions, take action to secure your systems.
- Disable TLS 1.0 and 1.1 completely. They are insecure.
- Enable TLS 1.2 and 1.3 only.
- Use strong cipher suites. Avoid RC4, 3DES, and export-grade ciphers.
- Regularly audit your TLS configuration with tools like testssl.sh or Qualys SSL Labs.
- Keep OpenSSL and other libraries updated to patch vulnerabilities.
For web servers, consider using a tool like Mozilla’s SSL Configuration Generator to create secure settings.
Frequently Asked Questions
How Do I Check TLS Version In Linux Without OpenSSL?
You can use curl with the -v flag or nmap with the ssl-enum-ciphers script. Python’s ssl module also works if OpenSSL is not installed.
What Is The Command To Check TLS Version In Linux For A Remote Server?
Use openssl s_client -connect server:443 and look for the “SSL-Session” line. Alternatively, curl -v https://server shows the TLS version.
How To Check TLS Version In Linux For Apache?
Check the SSLProtocol directive in Apache’s configuration files, usually located in /etc/httpd/conf.d/ssl.conf or /etc/apache2/sites-available/default-ssl.conf.
Can I Check TLS Version In Linux Using A GUI?
Yes, tools like Wireshark can capture and display TLS handshake details. However, command-line methods are faster for routine checks.
Why Does My Linux System Show Only TLS 1.2 And Not 1.3?
Your OpenSSL version might be too old. TLS 1.3 support was added in OpenSSL 1.1.1. Update OpenSSL to enable TLS 1.3.
Conclusion
Knowing how to check TLS version in Linux helps you maintain secure encrypted communications. Use OpenSSL, curl, nmap, or Python to verify both local and remote systems. Regular audits prevent the use of outdated protocols.
Start by running the commands shown here. Disable weak TLS versions and enable only TLS 1.2 and 1.3. This simple step significantly improves your security posture.
Remember to update your tools and libraries frequently. Security is an ongoing process, not a one-time fix.