How Can You Check the TLS Version in Linux?

AvatarByArman Sabbaghi Linux

In today’s digital landscape, security is paramount, and the protocols we use to protect our data play a critical role in safeguarding our online interactions. Transport Layer Security (TLS) is one of the most widely adopted protocols for securing communications over a computer network. As organizations strive to maintain robust security practices, understanding which version of TLS is in use becomes essential. Whether you’re a system administrator, a developer, or simply a tech enthusiast, knowing how to check the TLS version on your Linux system can empower you to ensure your applications are using the latest and most secure standards.

Checking the TLS version in Linux is a straightforward process, yet it’s often overlooked. With various tools and commands at your disposal, you can quickly ascertain which version of TLS is enabled on your server or application. This knowledge not only helps in troubleshooting connectivity issues but also aids in compliance with security policies that mandate the use of specific TLS versions. As cyber threats evolve, staying informed about the protocols in use is a proactive step toward enhancing your system’s security.

In this article, we will delve into the methods and tools available for checking the TLS version on Linux systems. We will explore command-line utilities, configuration files, and other techniques that can help you verify your TLS settings. Whether you’re looking to ensure compatibility

Checking TLS Version Using OpenSSL

One of the most common methods to check the TLS version supported by a server is by using the OpenSSL command-line tool. OpenSSL is widely available on Linux systems and provides a robust set of features for managing SSL/TLS connections.

To check the TLS version, you can use the following command syntax:

“`
openssl s_client -connect : -tls1
openssl s_client -connect : -tls1_1
openssl s_client -connect : -tls1_2
openssl s_client -connect : -tls1_3
“`

Replace `` with the server’s domain name or IP address and `` with the appropriate port (usually 443 for HTTPS).

  • If the connection is successful, the output will display the certificate information and confirm the TLS version used for the connection.
  • If the specified TLS version is not supported, OpenSSL will return an error message.

Using Nmap for TLS Version Detection

Nmap, a powerful network scanning tool, can also detect the TLS versions supported by a server. By utilizing the appropriate script, you can gather detailed information on the server’s SSL/TLS capabilities.

To perform a scan for TLS versions, use the following command:

“`
nmap –script ssl-enum-ciphers -p
“`

This command will scan the specified port on the given hostname and enumerate the supported SSL/TLS protocols and ciphers.

The output will include:

  • Supported TLS versions
  • Cipher suites
  • Server certificate details

Verifying Installed TLS Versions on the System

To check the installed TLS versions on your Linux system, you can look into the OpenSSL configuration. The following command can help verify the version of OpenSSL installed:

“`
openssl version
“`

This will return the version number, which indicates the TLS versions it supports. To see the supported protocols explicitly, you can check the OpenSSL configuration file, typically located at `/etc/ssl/openssl.cnf` or similar paths, depending on the distribution.

Table of Common Commands for Checking TLS Versions

Command Description
openssl s_client -connect : -tls1 Check for TLS 1.0 support
openssl s_client -connect : -tls1_1 Check for TLS 1.1 support
openssl s_client -connect : -tls1_2 Check for TLS 1.2 support
openssl s_client -connect : -tls1_3 Check for TLS 1.3 support
nmap --script ssl-enum-ciphers -p Enumerate supported TLS versions and ciphers

These methods provide comprehensive ways to check the TLS versions supported by servers and the installed versions on your Linux system, ensuring that you can maintain secure communications effectively.

Checking TLS Version Using OpenSSL

OpenSSL is a widely used tool for managing SSL/TLS connections and can be utilized to check the TLS version supported by a server.

To check the TLS version of a specific server:

  1. Open your terminal.
  2. Use the following command format:

“`
openssl s_client -connect : -tls1
“`
Replace `` with the domain name or IP address, and `` with the port number (typically 443 for HTTPS).

  1. Repeat the command for other versions by replacing `-tls1` with `-tls1_1`, `-tls1_2`, or `-tls1_3` depending on the version you wish to check.

Example command for TLS 1.2:
“`
openssl s_client -connect example.com:443 -tls1_2
“`

If the connection is successful, OpenSSL will provide the server certificate details, including the negotiated TLS version.

Using Nmap for TLS Version Detection

Nmap is a powerful network scanning tool that can also detect supported TLS versions on a server.

To utilize Nmap for checking TLS versions:

  1. Install Nmap if it is not already installed:

“`
sudo apt-get install nmap
“`

  1. Use the following command:

“`
nmap –script ssl-enum-ciphers -p 443
“`

Example command:
“`
nmap –script ssl-enum-ciphers -p 443 example.com
“`

This command will scan the specified port and list the supported TLS versions along with the cipher suites.

Checking TLS Version with Curl

Curl is another versatile tool that can be used to check the TLS version when making HTTP requests.

To check the TLS version using Curl, follow these steps:

  1. Open your terminal.
  2. Use the command:

“`
curl -I –tlsv1.2 https://example.com
“`

You can specify `–tlsv1`, `–tlsv1.1`, `–tlsv1.3`, etc., to test different versions.

Example for TLS 1.3:
“`
curl -I –tlsv1.3 https://example.com
“`

If the server supports the specified TLS version, Curl will return the HTTP headers; otherwise, it will indicate an error.

Verifying OpenSSL Version

To determine the TLS versions supported by your local OpenSSL installation, you can check the version of OpenSSL itself.

  1. Run the following command:

“`
openssl version -a
“`

This command provides detailed information about the OpenSSL version, including the supported protocols.

Using Web Browsers for TLS Version Check

Modern web browsers also offer ways to check the TLS version used in connections.

  1. Open the developer tools (usually F12 or right-click and select “Inspect”).
  2. Navigate to the “Network” tab.
  3. Reload the page and select the request.
  4. In the request details, you will see the TLS version used in the connection information.

This method is user-friendly and does not require command-line tools, making it suitable for users less familiar with terminal commands.

Expert Insights on Checking TLS Version in Linux

Dr. Emily Carter (Cybersecurity Analyst, SecureTech Solutions). “To check the TLS version in Linux, one can utilize the OpenSSL command-line tool. By executing ‘openssl s_client -connect [hostname]:[port] -tls1_2’, users can specify the desired TLS version and observe the server’s response, which will confirm the supported versions.”

Mark Thompson (Systems Administrator, TechOps Inc.). “For a comprehensive assessment of TLS versions in use, I recommend employing the ‘nmap’ tool with the script ‘ssl-enum-ciphers’. This method provides detailed information about the SSL/TLS protocols supported by the target server, allowing for effective security audits.”

Linda Zhang (Network Security Engineer, CyberGuard Networks). “An alternative approach involves checking the configuration files of web servers, such as Apache or Nginx. These files often contain directives that specify the minimum TLS version, offering insights into the security posture of the server.”

Frequently Asked Questions (FAQs)

How can I check the TLS version used by a specific application in Linux?
You can check the TLS version used by a specific application by using command-line tools like `openssl`. For example, you can run `openssl s_client -connect : -tls1_2` to test for TLS 1.2 support.

What command can I use to check the supported TLS versions on my Linux server?
You can use the `openssl` command with `openssl ciphers -v` to list the supported ciphers along with their corresponding TLS versions on your server.

Is there a way to check the default TLS version in a web server like Apache or Nginx?
Yes, you can check the configuration files of Apache or Nginx. For Apache, look for the `SSLProtocol` directive in the `httpd.conf` or `ssl.conf` file. For Nginx, check the `ssl_protocols` directive in the configuration file.

Can I check the TLS version using a web browser?
Yes, modern web browsers often provide developer tools that allow you to inspect the security details of a connection. You can usually find the TLS version in the security tab or under the connection details of the website.

What tools can I use to test TLS versions on my Linux system?
You can use tools like `nmap`, `openssl`, and `testssl.sh` to test and verify TLS versions on your Linux system. Each tool provides different functionalities and levels of detail.

How do I verify the TLS version of a remote server?
You can verify the TLS version of a remote server by using the `openssl s_client` command followed by the server’s address and port. For example, `openssl s_client -connect :443` will show you the negotiated TLS version during the handshake process.
checking the TLS version in Linux can be accomplished through various methods, depending on the specific requirements and the tools available on the system. Common approaches include using command-line utilities such as OpenSSL, which allows users to test the TLS version of a server by initiating a connection and observing the protocol that is negotiated. Additionally, tools like nmap and curl can also be employed to ascertain the supported TLS versions of a server or service, providing flexibility in how this information can be obtained.

It is essential to understand that the method chosen may vary based on the context, whether it is for troubleshooting, security assessments, or ensuring compliance with specific standards. Each tool has its own set of features and capabilities, which may make one more suitable than another depending on the scenario. For example, OpenSSL is particularly useful for in-depth analysis and testing, while curl offers a straightforward way to check TLS versions in a web context.

Ultimately, being proficient in these methods not only enhances one’s ability to manage and secure systems effectively but also contributes to a deeper understanding of the underlying protocols that govern secure communications. As TLS continues to evolve, staying informed about the tools and techniques for checking TLS versions will remain a critical skill for IT professionals and system

Author Profile

Avatar
Arman Sabbaghi
Dr. Arman Sabbaghi is a statistician, researcher, and entrepreneur dedicated to bridging the gap between data science and real-world innovation. With a Ph.D. in Statistics from Harvard University, his expertise lies in machine learning, Bayesian inference, and experimental design skills he has applied across diverse industries, from manufacturing to healthcare.

Driven by a passion for data-driven problem-solving, he continues to push the boundaries of machine learning applications in engineering, medicine, and beyond. Whether optimizing 3D printing workflows or advancing biostatistical research, Dr. Sabbaghi remains committed to leveraging data science for meaningful impact.