Menu
I have googled and find
https://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce,
the command:
openssl s_client -connect google.com:443 -tls1_2
does not work on MacOS because of "unknown option -tls1_2" error.
366
Scroll to the System section, then click Open your computer's proxy settings. Select the Advanced tab. Scroll to the Security section, then check Use TLS 1.2. Click OK, then close Chrome.
In the Windows menu search box, type Internet options. Under Best match, click Internet Options. In the Internet Properties window, on the Advanced tab, scroll down to the Security section. Check the User TLS 1.2 checkbox.
How to check if TLS 1.2 is enabled? If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.
You could use curl to test it. I believe curl is installed with command line tools on OS X.
$ curl https://google.com/ --tlsv1.2 --verbose
* Trying 46.134.192.54...
* Connected to google.com (46.134.192.54) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.43.0
> Accept: */*
Thanks to this great answer on this page, I wrote this simple script to test a server for TLS 1.0, 1.1, and 1.2 support. This should work on any linux/unix flavor, I suspect, and definitely works on Mac, as that's what I'm using to test it
$ tls_test.sh tls1test.salesforce.com
TLS1.2 is supported on tls1test.salesforce.com
TLS1.1 is supported on tls1test.salesforce.com
### TLS1.0 is NOT SUPPORTED on tls1test.salesforce.com ###
#!/usr/bin/env bash
die()
{
echo "$*"
exit;
}
# Get server to test, and timeout in seconds
server=$1
timeout_in_seconds=${2:-20}
case "$timeout_in_seconds" in
''|*[!0-9]*) die "Your timeout value should be an integer value, not '$2'"
esac
# where to log full responses to
dump_file=${3:-/tmp/__dump_tls_info}
rm -f "$dump_file"
show_help()
{
me=$(basename "$0")
info=$(cat <<EOF
Shows which versions of TLS a server supports.
usage: $me SERVER {TIMEOUT_IN_SECONDS} {DUMP_FILE}
e.g. The following are public test servers that demonstrate
support for various TLS versions.
$ $me tls1test.salesforce.com # validate TLS 1.0 is blocked
$ $me tls-v1-0.badssl.com:1010 # validate only TLS 1.0 enabled
$ $me tls-v1-1.badssl.com:1011 # validate only TLS 1.1 enabled
$ $me smtp.gmail.com:465 # validate TLS 1.0+ are all supported
Note: default timeout in seconds is 20, and it dumps full output to $dump_file
EOF
)
echo "$info"
exit
}
if [ -z "$server" ]; then
show_help
fi
testTLS()
{
tls="$1"
tlsDisplay=${2:-$1}
if [ -n "$tls" ]; then
tls_cmd="--tlsv$1"
else
tls_cmd=""
fi
CMD="curl --max-time "$timeout_in_seconds" -v -I --silent "$tls_cmd" "https://$server/""
OUT=$($CMD 2>&1)
CURL_VERSION=$(curl --version)
OUT_CURL_OLD=$(echo "$OUT" | grep "option --tls" | grep "unknown")
OUT_TLS=$(echo "$OUT" | grep "topped the pause stream")
OUT_TLS_HANDSHAKE=$(echo "$OUT" | grep "handshake fail")
OUT_TIMEOUT=$(echo "$OUT" | grep "onnection timed out after")
{
echo
echo "#######################################"
echo "testing TLS$tls is supported on $server"
echo "curl version: $CURL_VERSION"
echo "curl location: `which curl`"
echo "os version: `sw_vers`"
echo "ran the following:"
echo "$CMD"
echo "$OUT"
echo
} >> "$dump_file"
if [ -n "$OUT_TIMEOUT" ]; then
echo "connection to $server timed out after $timeout_in_seconds seconds"
fi
if [ -n "$OUT_CURL_OLD" ]; then
echo "Your version of curl is too old, and can't test for TLS $tls support"
return;
fi
if [ -n "$OUT_TLS" ]; then
echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
else
if [ -n "$OUT_TLS_HANDSHAKE" ]; then
echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
else
echo "TLS $tlsDisplay is supported on $server"
fi
fi
}
testTLS 1.2
testTLS 1.1
testTLS 1.0
You could try something like this:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.google.com
This is probably because your openssl is old, which does not have TLSv1.2 updates. Please consider upgrading your openssl then it should work.
I have tested this on my Mac works fine. Similarly now there is TLSv1.3 in the market but I've not upgraded my Openssl to latest so, for -tls1_3 I get the same error
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
