How To
Summary
This technote explains how to use the OpenSSL s_client command to determine whether or not a service supports particular SSL or TLS versions.
Steps
To test whether or not a service on a particular port supports TLS 1.1 or 1.2 (or prevents the use of versions such as SSL 3), use the openssl command with the subcommand s_client. This subcommand pretends to be a client program and shows you the results of its SSL/TLS negotiation with the server. You can tell s_client which protocol to use or which not to use. The -ssl2, -ssl3, -tls1, -tls1_1, and -tls1_2 options force s_client to use SSLv2, SSLv3, TLSv1.0, TLSv1.1, or TLS1.2. There are also options to prevent the use of a particular protocol version (or versions) during negotiation. They have the same names but preceded with "no_"; for example, -no_ssl2. There is a man page for the subcommand (man s_client) which lists its options.
Certain application protocols, such as FTP or SMTP, require that the client requests TLS support before a secure connection can be negotiated. To test such a service, use the -starttls option of s_client to tell it which application protocol to use. For example, to test the local sendmail server to see whether it supports TLS 1.2, use the following command.
openssl s_client -connect localhost:25 -starttls smtp -tls1_2 < /dev/null
If the SSL/TLS version is supported, openssl prints a section like this near the end of the output.
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: A4C5FBC01FEA5C3A0D330A1172C0881384FE41589EA868D7F1BDFA7741D6C7E0 Session-ID-ctx: Master-Key: 5A3F649BEE902250D210923E8D1D7917682B3255FF38CB6685B03E098779393C0B08E968F8D883AF6527BDA718381314
If the SSL/TLS version is not supported, it looks like this instead.
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key:
To test a web server or some other service that does not require a command to negotiate SSL/TLS, omit the -starttls option. For example, with a web server at port 443 (https), which allows for immediate SSL/TLS negotiation, this command:
openssl s_client -connect www.ibm.com:443 -tls1_2
shows negotiation output like this:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 467372EFE2B38132969C195531A977A0DD57AD607451F87BC9A5D317F1B177F6 Session-ID-ctx: Master-Key: 58383EADE7710CC72E6EEA73E9E6512C2E5BF24E8AAB337CDFDB576A9667213DF3677140A561FE1D5A0CFA669F2C5D9D
Additional Information
|
SUPPORT: If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case. The product must be under warranty or have an active and valid support contract. a. Document or take screen captures of all symptoms, errors, or messages. b. Capture any logs or data relevant to the issue. c. Contact IBM® to open a case. -For electronic support, visit the IBM Support Community: d. Provide a detailed description of the issue and reference this technote. e. Upload all of the details and data to the case. -You can attach files to the case in the IBM Support Community, or http://www.ibm.com/support/docview.wss?uid=ibm10733581 f. Click here to submit feedback for this document. |
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
01 March 2022
UID
ibm10960233