How to determine if web-server still supports deprecated TLS 1.0 protocol

Use essential openssl utility to quickly determine if your web-server still supports deprecated TLS 1.0 protocol.

Domain that supports TLS 1.0 protocol.

$ echo -n | openssl s_client -connect www.example.com:443 -servername www.example.com -tls1
CONNECTED(00000003)                                                                                    
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3                                           
verify return:1                                                                                        
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3                                     
verify return:1                                                                                        
depth=0 CN = www.example.com                                                              
verify return:1                                                                                        
---                                                                                                    
Certificate chain                                                                                      
 0 s:/CN=www.example.com                                                                  
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                               
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                               
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3                                                  
---                                                                                                    
Server certificate                                                                                     
-----BEGIN CERTIFICATE-----                                                                            
MIIFGzCCBAOgAwIBAgISAzpgi8Wdjy7tAtI+D75dppZVMA0GCSqGSIb3DQEBCwUA                                       
[...]
qy+f2pU+FSu8wVJVRpxAR1poMH3mGj4Eu3SYyjPGCZkH/9Q64ypkY9GxUtKMb2KX                                       
1GXqp0024wPzPRx2YD2l     
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3010 bytes and written 368 bytes
---
7New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 66109FB6304AB99BD84930DEC02F64C91E84F9E99F4C87EB69602FF8A88E799B
    Session-ID-ctx:
    Master-Key: B5...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510441023
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
DONE

Domain that does not support TLS 1.0 protocol.

$ echo -n | openssl s_client -connect www.example.org:443 -servername www.example.org -tls1
CONNECTED(00000003)
140592647956120:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510220371
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

You can require or disable the use of particular cryptographic protocols by specifying the following command-line options.

 -ssl2   | -no_ssl2
 -ssl3   | -no_ssl3
 -tls1   | -no_tls1
 -tls1_1 | -no_tls1_1
 -tls1_2 | -no_tls1_2

For example, try to connect using TLS 1.2 protocol.

$ echo -n | openssl s_client -connect www.example.com:443 -servername www.example.com -tls1_2
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = cloud.fishsilentcruise.space
verify return:1
---
Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgISAzpgi8Wdjy7tAtI+D75dppZVMA0GCSqGSIb3DQEBCwUA
[...]
qy+f2pU+FSu8wVJVRpxAR1poMH3mGj4Eu3SYyjPGCZkH/9Q64ypkY9GxUtKMb2KX
1GXqp0024wPzPRx2YD2l
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3004 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E66F0B186C5601499F988C331C3C92B01CEC3AE7AF562DD7905495289B980ACA
    Session-ID-ctx:
    Master-Key: 1F...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510220380
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
DONE

You can use exit code to verify the support for specific cryptographic protocols and automate the whole process using simple shell script.

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system. He is also open for new opportunities and challenges.