Confirming the TLS version your Linux server uses helps you maintain secure communications with clients. Knowing how to check tls version on linux is essential for sysadmins and security professionals who need to ensure their systems are not using outdated protocols like SSLv3 or TLS 1.0. This guide walks you through multiple methods to verify TLS support on any Linux distribution.
Transport Layer Security (TLS) encrypts data between servers and clients. Older versions have known vulnerabilities. Checking your current TLS version helps you patch security holes and comply with industry standards.
Why Check TLS Version On Linux
Outdated TLS versions expose your server to attacks like POODLE or BEAST. Regular checks let you disable weak protocols and enforce strong encryption. Many compliance frameworks require TLS 1.2 or higher.
You might need to check TLS version for troubleshooting connection issues. Some applications or APIs require specific TLS versions. Knowing your server’s capabilities saves debugging time.
Prerequisites For Checking TLS Version
You need a Linux server with command-line access. Basic knowledge of terminal commands helps. Most Linux distributions include the tools we’ll use by default.
If you don’t have root access, you can still check TLS versions for user-space applications. Some methods require sudo for system-wide checks.
Tools You Will Need
- OpenSSL (usually pre-installed)
- curl or wget
- nmap (optional but powerful)
- Python (for scripting)
- netcat (for manual testing)
How To Check Tls Version On Linux Using OpenSSL
OpenSSL is the most common tool for checking TLS versions. It’s installed on almost every Linux system. Here’s how to use it.
Check TLS Version Supported By OpenSSL Itself
First, see what TLS versions your OpenSSL library supports. Run this command:
openssl version -aLook for the “Built on” line. It shows the supported protocols. If you see “TLSv1.3” in the output, your system supports modern TLS.
Test TLS Version Against A Remote Server
To check what TLS version a remote server uses, use OpenSSL’s s_client command. This connects to a server and shows the negotiated TLS version.
For TLS 1.2:
openssl s_client -connect example.com:443 -tls1_2For TLS 1.3:
openssl s_client -connect example.com:443 -tls1_3If the connection succeeds, the server supports that TLS version. If it fails with a handshake error, the version is not supported.
You can also test older versions like TLS 1.0 or 1.1. Replace the flag with -tls1 or -tls1_1.
Check Local Server’s TLS Configuration
For local services like Apache or Nginx, you can test locally. Run OpenSSL against localhost:
openssl s_client -connect localhost:443 -tls1_2This works if your web server is running on port 443. Adjust the port number for other services like MySQL (3306) or Postfix (25).
How To Check Tls Version On Linux Using Curl
Curl is another excellent tool. It’s more user-friendly than OpenSSL for quick checks. Use the –tls-max flag to limit TLS version.
Check Supported TLS Versions With Curl
To see what TLS versions curl supports:
curl --version | grep -i tlsThe output shows “OpenSSL” or “NSS” with supported protocols.
Test Remote Server TLS Version
Use curl with the –tlsv1.2 or –tlsv1.3 flag:
curl --tlsv1.2 -I https://example.comIf the command succeeds, the server supports TLS 1.2. For TLS 1.3:
curl --tlsv1.3 -I https://example.comCurl returns an error if the server doesn’t support the requested version. This is a quick way to test without reading complex output.
Using Nmap To Check TLS Version
Nmap is a network scanner that can probe TLS versions. It’s not installed by default but is easy to add.
Install Nmap
On Debian/Ubuntu:
sudo apt install nmapOn RHEL/CentOS:
sudo yum install nmapScan For TLS Versions
Use the ssl-enum-ciphers script:
nmap --script ssl-enum-ciphers -p 443 example.comNmap tests all TLS versions and shows which ones are enabled. The output lists each version and the ciphers supported. This is the most comprehensive method.
You can scan multiple ports:
nmap --script ssl-enum-ciphers -p 443,8443,993 example.comChecking TLS Version On Local Services
For services running on your own server, you can check configuration files or use test tools.
Apache HTTP Server
Check the SSL configuration file, usually /etc/httpd/conf.d/ssl.conf or /etc/apache2/sites-available/default-ssl.conf. Look for the SSLProtocol directive:
SSLProtocol -all +TLSv1.2 +TLSv1.3This shows which versions are enabled. You can also test with OpenSSL as described earlier.
Nginx Web Server
Check /etc/nginx/nginx.conf or site-specific files. Look for ssl_protocols:
ssl_protocols TLSv1.2 TLSv1.3;Nginx uses this directive to control allowed TLS versions.
Postfix Mail Server
Check /etc/postfix/main.cf for smtpd_tls_protocols:
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2, TLSv1.3Using Python To Check TLS Version
Python provides a flexible way to check TLS versions programmatically. This is useful for automation.
Simple Python Script
import ssl
import socket
def check_tls_version(hostname, port=443):
context = ssl.create_default_context()
with socket.create_connection((hostname, port)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
print(f"TLS version: {ssock.version()}")
check_tls_version("example.com")This script connects and prints the negotiated TLS version. You can modify it to test specific versions.
Test Specific TLS Versions
import ssl
import socket
def test_tls_version(hostname, version, port=443):
context = ssl.SSLContext(getattr(ssl, f"PROTOCOL_TLSv{version}"))
try:
with socket.create_connection((hostname, port)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
print(f"TLS {version} supported")
except Exception as e:
print(f"TLS {version} not supported: {e}")
test_tls_version("example.com", "1.2")
test_tls_version("example.com", "1.3")Checking TLS Version For Specific Applications
Different applications may use different TLS libraries. Here’s how to check for common ones.
Git
Git uses the system’s OpenSSL. Check its TLS version:
git version --build-options | grep opensslWget
Wget also relies on OpenSSL. Test with:
wget --version | grep -i sslDocker
Docker uses its own TLS settings. Check the daemon configuration:
docker info | grep -i tlsHow To Check Tls Version On Linux For System Libraries
Sometimes you need to check what TLS version the system’s SSL library supports. This affects all applications.
Check OpenSSL Version
openssl versionOpenSSL 1.1.1 and later support TLS 1.3. Older versions only support up to TLS 1.2.
Check GnuTLS Version
gnutls-cli --versionGnuTLS 3.6.0 and later support TLS 1.3.
Common Issues When Checking TLS Version
You might encounter problems. Here are solutions.
Connection Refused
If the server refuses connection, check if the service is running. Use systemctl status or netstat to verify.
Certificate Errors
Self-signed certificates cause warnings. Use the -no-CAfile flag with OpenSSL to bypass certificate verification for testing.
Firewall Blocking
Firewalls may block test connections. Ensure the port is open from your testing machine.
Best Practices For TLS Version Management
After checking, you should act on the results. Here’s what to do.
Disable Outdated Versions
Disable TLS 1.0 and 1.1. They are considered insecure. Only enable TLS 1.2 and 1.3.
Regular Audits
Schedule monthly checks using scripts. Automate the process with cron jobs.
Monitor Changes
Track TLS version changes in your configuration management system. This helps with compliance audits.
FAQ About Checking TLS Version On Linux
How Do I Check The TLS Version Of A Website From Linux?
Use openssl s_client -connect website.com:443 -tls1_2. Replace the flag with other versions to test. Curl also works with –tlsv1.2.
What Command Shows TLS Version In Linux?
openssl version -a shows the library version. For server testing, openssl s_client is the standard command.
How Can I Check TLS Version Without OpenSSL?
Use curl –tlsv1.2 -I https://example.com or nmap –script ssl-enum-ciphers. Python’s ssl module also works.
Does Linux Support TLS 1.3?
Yes, if you have OpenSSL 1.1.1 or later. Check with openssl version. Most modern distributions include it.
How Do I Check TLS Version For A Local Service?
Test localhost with openssl s_client -connect localhost:port -tls1_2. Or check the service’s configuration file for SSLProtocol or ssl_protocols directives.
Automating TLS Version Checks
Create a simple script to check multiple servers. Save this as check_tls.sh:
#!/bin/bash
SERVERS=("example.com" "google.com" "github.com")
for server in "${SERVERS[@]}"; do
echo "Checking $server..."
openssl s_client -connect $server:443 -tls1_2 2>/dev/null | grep -q "SSL handshake" && echo "TLS 1.2 supported" || echo "TLS 1.2 not supported"
doneMake it executable with chmod +x check_tls.sh and run it. This saves time for multiple servers.
Conclusion
Knowing how to check tls version on linux is a fundamental skill for maintaining secure systems. Use OpenSSL for quick tests, curl for simplicity, and nmap for comprehensive scans. Regular checks help you stay ahead of security threats.
Disable outdated protocols and enforce modern TLS versions. Your users and clients will thank you for the extra security. Start checking your servers today to ensure they meet current standards.
Remember to document your findings and update configurations as needed. Security is an ongoing process, not a one-time task. Keep your Linux systems safe by staying informed about TLS versions.