openssl 去驗證是否支援 TLS 1.2、1.3,可以使用 openssl s_client 來做檢測~
- 詳見:man openssl-s_client
- -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
- These options require or disable the use of the specified SSL or TLS protocols. When a specific TLS version is required, only that version will be offered or accepted.
- Only one specific protocol can be given and it cannot be combined with any of the no_ options. The no_* options do not work with s_time and ciphers commands but work with s_client and s_server commands.
- -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
使用 OpenSSL client 檢查 TLS 版本
openssl s_client 要檢測是否支援 tls1.3、tls1 等等,命令參數如下:
- openssl s_client -connect www.example.com:443 -tls1_3
- openssl s_client -connect www.example.com:443 -tls1
看本機的 openssl 支援的演算法
- openssl ciphers -v | grep TLSv1.3
測試指定的演算法
- echo | openssl s_client -tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384' -connect tls13.cloudflare.com:443
列出所有支援的憑證(list certificate)
- openssl s_client -connect : -servername -showcerts
- echo | openssl s_client -connect : -servername 2>/dev/null | openssl x509 -noout -text
- echo | openssl s_client -connect www.example.com:443 -servername www.example.com 2>/dev/null | openssl x509 -noout -text