How to Check TLS 1.2 Support on Remote Servers Using OpenSSL on RHEL/CentOS


3 views

OpenSSL's s_client command is the most reliable way to verify TLS protocol support. While CentOS 5.9 ships with an older OpenSSL version (0.9.8), it still supports basic protocol testing:

openssl s_client -connect example.com:443 -tls1_2

If the connection succeeds, you'll see the certificate chain and a "CONNECTED" message. A failed TLS 1.2 handshake will typically show:

140735635550112:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:

For systems with extremely old OpenSSL versions, consider these approaches:

# Using curl (if available):
curl -Iv --tlsv1.2 https://example.com 2>&1 | grep "SSL connection"

# Using nmap's scripting engine:
nmap --script ssl-enum-ciphers -p 443 example.com

Key indicators of successful TLS 1.2 negotiation:

  • "Protocol : TLSv1.2" in OpenSSL output
  • "Cipher : ECDHE-RSA-AES256-GCM-SHA384" (or other TLS 1.2 ciphers)
  • No "handshake failure" or "protocol version" errors

If your OpenSSL lacks TLS 1.2 support in the client:

# Compile a newer OpenSSL version in a custom location:
wget https://www.openssl.org/source/openssl-1.0.2u.tar.gz
tar -xzf openssl-1.0.2u.tar.gz
cd openssl-1.0.2u
./config --prefix=/opt/openssl -openssldir=/opt/openssl shared
make && make install
/opt/openssl/bin/openssl s_client -connect example.com:443 -tls1_2

When working with secure web servers, verifying TLS protocol support is crucial for security compliance. If you're on CentOS 5.9 or similar RHEL-based systems, here's how to check if a remote server specifically supports TLS 1.2.

The most reliable method is using OpenSSL's s_client with specific protocol flags:

openssl s_client -connect example.com:443 -tls1_2

If the connection succeeds, TLS 1.2 is supported. For a failed connection, you'll typically see:

CONNECTED(00000003)
140735524012928:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:s23_clnt.c:769:

If you have cURL installed with OpenSSL support:

curl -Ikv --tlsv1.2 https://example.com

Look for these indicators in the verbose output:

* SSL connection using TLSv1.2 / AES256-GCM-SHA384

For a comprehensive check across all TLS versions:

for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
    echo -n "$v: "
    openssl s_client -connect example.com:443 -$v </dev/null 2>&1 | grep "Protocol"
done

On CentOS 5.9 with OpenSSL 0.9.8, you might need to use:

openssl s_client -connect example.com:443 -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1

This forces TLS 1.2 if available.

Here's a complete bash script to test TLS support:

#!/bin/bash

SERVER=$1
PORT=${2:-443}

echo "Testing TLS protocols for $SERVER:$PORT"

protocols=("ssl2" "ssl3" "tls1" "tls1_1" "tls1_2" "tls1_3")

for proto in "${protocols[@]}"; do
    echo -n "$proto: "
    (openssl s_client -connect ${SERVER}:${PORT} -${proto} -no_ign_eof 2>/dev/null | grep "Protocol" || echo "Not supported") | head -1
done

Successful TLS 1.2 connection will show:

Protocol  : TLSv1.2

While failure indicates the protocol isn't supported.

Remember that CentOS 5.9 is extremely outdated and may have vulnerabilities. For production use, consider upgrading to a supported version with modern OpenSSL.