How to determine if web-server still supports deprecated TLS 1.0 protocol

Use essential openssl utility to quickly determine if your web-server still supports deprecated TLS 1.0 protocol.

Domain that supports TLS 1.0 protocol.

$ echo -n | openssl s_client -connect www.example.com:443 -servername www.example.com -tls1
CONNECTED(00000003)                                                                                    
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3                                           
verify return:1                                                                                        
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3                                     
verify return:1                                                                                        
depth=0 CN = www.example.com                                                              
verify return:1                                                                                        
---                                                                                                    
Certificate chain                                                                                      
 0 s:/CN=www.example.com                                                                  
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                               
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                               
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3                                                  
---                                                                                                    
Server certificate                                                                                     
-----BEGIN CERTIFICATE-----                                                                            
MIIFGzCCBAOgAwIBAgISAzpgi8Wdjy7tAtI+D75dppZVMA0GCSqGSIb3DQEBCwUA                                       
[...]
qy+f2pU+FSu8wVJVRpxAR1poMH3mGj4Eu3SYyjPGCZkH/9Q64ypkY9GxUtKMb2KX                                       
1GXqp0024wPzPRx2YD2l     
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3010 bytes and written 368 bytes
---
7New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 66109FB6304AB99BD84930DEC02F64C91E84F9E99F4C87EB69602FF8A88E799B
    Session-ID-ctx:
    Master-Key: B5...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510441023
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
DONE

Domain that does not support TLS 1.0 protocol.

$ echo -n | openssl s_client -connect www.example.org:443 -servername www.example.org -tls1
CONNECTED(00000003)
140592647956120:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510220371
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

You can require or disable the use of particular cryptographic protocols by specifying the following command-line options.

 -ssl2   | -no_ssl2
 -ssl3   | -no_ssl3
 -tls1   | -no_tls1
 -tls1_1 | -no_tls1_1
 -tls1_2 | -no_tls1_2

For example, try to connect using TLS 1.2 protocol.

$ echo -n | openssl s_client -connect www.example.com:443 -servername www.example.com -tls1_2
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = cloud.fishsilentcruise.space
verify return:1
---
Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgISAzpgi8Wdjy7tAtI+D75dppZVMA0GCSqGSIb3DQEBCwUA
[...]
qy+f2pU+FSu8wVJVRpxAR1poMH3mGj4Eu3SYyjPGCZkH/9Q64ypkY9GxUtKMb2KX
1GXqp0024wPzPRx2YD2l
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3004 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E66F0B186C5601499F988C331C3C92B01CEC3AE7AF562DD7905495289B980ACA
    Session-ID-ctx:
    Master-Key: 1F...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510220380
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
DONE

You can use exit code to verify the support for specific cryptographic protocols and automate the whole process using simple shell script.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.