How to Check the TLS Version in Linux?

What is TLS?

TLS or Transport Layer Security is a cryptographic protocol designed to provide secure communication over computer networks. TLS ensures the privacy, integrity, and authenticity of data transmitted between clients and servers.

In Linux, the use of TLS (Transport Layer Security) is essential for securing various network communications and services. It operates at the transport layer of the network protocol stack, providing a secure layer on top of other protocols such as HTTP, SMTP, FTP, and more. It is widely used to secure various applications and services on the internet, including secure web browsing (HTTPS), email transmission (IMAPS, POP3S, SMTPS), virtual private networks (VPNs), and more. The primary goals of TLS are:

• Privacy:
  TLS encrypts data to prevent eavesdropping, ensuring that only the intended recipient can decrypt and access the information. This protects sensitive data such as passwords, credit card numbers, and personal information.
• Data Integrity:
  TLS uses cryptographic algorithms to ensure that data remains unchanged during transmission. It detects any tampering or modifications made to the data while in transit.
• Authentication:
  TLS provides mechanisms for verifying the identity of servers and, optionally, clients. It uses digital certificates to establish trust and authenticity between communicating parties.

How to Check TLS Version in Linux?

In Linux, we can find out the supported version of TLS using NMAP and OpenSSL commands. Let us go through their implementations and understand how using these commands, the supported version of TLS can be checked.

Using NMAP

NMAP is a powerful network scanning tool that includes scripts to probe and gather information about remote systems. It can also check the TLS version supported by a server.

The first step is to install nmap in case it is already not installed. After installation use the following command:

The above command is broken down and explained here:

• The --script ssl-enum-ciphers option specifies the script to be executed during the scan. In this case, the ssl-enum-ciphers script is used, which is designed to enumerate the SSL/TLS cipher suites supported by the target server.

• The p 443 option specifies the port number to be scanned. Port 443 is the default port for HTTPS (HTTP over TLS/SSL) communication, and it is commonly used for secure web browsing. You can replace 443 with the appropriate port number if the target service uses a different port for SSL/TLS.

• Here, <hostname or IP> is a placeholder for the actual hostname or IP address of the target server you want to scan. You should replace it with the specific server information.

When we run the nmap command with the above options, it will initiate a scan against the target server specified by the hostname or IP address. It will display information about the SSL/TLS cipher suites supported by the target server, including their names, encryption algorithms, key exchange mechanisms, and other relevant details.

The ssl-enum-ciphers script tests various SSL/TLS versions, cipher suites, and encryption algorithms to gather information about the server's SSL/TLS configuration. It will provide a detailed report showing the supported protocols and the strength of the encryption algorithms.

Using OpenSSL

OpenSSL is a powerful command-line tool for cryptographic operations, including checking the TLS version supported by a system. Here's how you can utilize OpenSSL to check the TLS version:

The above command is broken down and explained here:

• Here the openssl s_client command invokes the OpenSSL tool and specifies that we want to use the s_client subcommand. This subcommand acts as a generic SSL/TLS client that allows us to connect to a remote server and interact with it over a secure connection.
• The -connect <hostname or IP>:443 option in the above command specifies the server we want to connect to and the port we want to use. In this case, we are connecting to the hostname present inside the <hostname or IP> placeholder on port 443, which is the default port for HTTPS (HTTP over SSL/TLS).
• The tls1 option specifies the TLS version to use during the connection. In this command, we are explicitly specifying TLS 1.0 as the desired version.

To check for specific versions of TLS the following options can be used:

• -tls1 for TLS 1.0
• -tls1_1 for TLS 1.1
• -tls1_2 for TLS 1.2
• -tls1_3 for TLS 1.3

For example, if we need to check TLS 1.2 for google.com, the following command can be used:

Upon executing the command, OpenSSL's s_client subcommand will establish a connection to www.google.com on port 443 using TLS 1.2. The output will display information about the server's certificate, the negotiated cipher suite, and other SSL/TLS-related details. It will also show any SSL/TLS errors encountered during the handshake process.

Another way to check the TLS version is by using the following command:

The ciphers option in the above command is a subcommand of OpenSSL and is used to manage and display the available cipher suites. The -v option is used to display additional information about each cipher suite, including the version and encryption algorithm.

The above command will provide us with a lot of information, but its output can be further filtered if we modify it a little. The following command can be used instead:

The above command will ensure that only one instance of all the versions of TLS/SSL supported by OpenSSL will be shown in the output.

The breakdown of the above command is as follows:

• The output of openssl ciphers -v is piped into awk to print only a specific field from the output which in this case is the second column that displays the TLS versions.
• Then the output of the specific field containing is piped into the sort command to alphabetically organize the cipher suite names consistently.
• Finally, the output is piped into the uniq command which filters out duplicate lines from the sorted input. This makes sure there is only one instance of each TLS version supported.