Both SSL and TLS protocols aim to protect sensitive information used during transactions such as payment processing that requires authentication to prove the identity of our server to the users.
TLS 1.3 is the latest version of the TLS protocol. It is a descendent of SSL and is regarded to be more powerful and effective. OpenSSL command is the easiest way to check TLS version. The following commands can be used to find TLS version:
- openssl s_client -connect host.com:443 -tls1
- openssl s_client -connect host.com:443 -tls1_1
- openssl s_client -connect host.com:443 -tls1_2
- openssl s_client -connect host.com:443 -tls1_3
- nmap –script ssl-enum-ciphers -p 443 host.com
Understanding SSL
SSL stands for “Secure Socket Layer.”
- Netscape developed the first version of SSL in 1995.
- SSL is a cryptographic protocol that uses explicit connections to establish secure communication between web server and client.
- Three versions of SSL have been released: SSL 1.0, 2.0, and 3.0.
- All versions of SSL have been found vulnerable, and they all have been deprecated.
Understanding TLS
TLS stands for “Transport Layer Security.”
- The first version of TLS was developed by the Internet Engineering Taskforce (IETF) in 1999.
- Four versions of TLS have been released: TLS 1.0, 1.1, 1.2, and 1.3.
- TLS is also a cryptographic protocol that provides secure communication between web server and client via implicit connections. It’s the successor of SSL protocol.
- TLS 1.0 and 1.1 have been “broken” and are deprecated as of March 2020. TLS 1.2 is the most widely deployed protocol version.
Which is more secure for SSL and TLS?
TLS provides a more robust message authentication system, key material generation along other encryption algorithms when compared to SSL. Thus, TLS provides support with remote passwords, elliptical curve keys and pre-shared keys which are not supported by SSL. TLS still provides backward compatibility for older devices.
The TLS protocol works on two layers where the TLS record protocol provides security to connections. The TLS handshake protocol brings together the client and the server for security key negotiation. Both client and the server authenticate each other before any data transmission.
Understanding SSL Certificates and TLS Certificates
That’s because both “SSL certificate” and “TLS certificate” essentially mean the same thing: They’re both X.509 digital certificates that help to authenticate the server and facilitate the handshake process to create a secure connection.
Some people call them “SSL certificates,” while others refer to them as “TLS certificates.” The name doesn’t matter much because a certificate isn’t the same thing as the protocol. Whatever we call them, what matters is the protocol that it operates on. And these protocols are determined by our server configuration, not by the digital certificates.
Latest TLS version
TLS 1.3 is the latest version of the TLS protocol. TLS, which is used by HTTPS and other network protocols for encryption, is the modern version of SSL. TLS 1.3 dropped support for older, less secure cryptographic features, and it sped up TLS handshakes, among other improvements.
Check TLS version on SSLlabs
SSL Labs is a tool for SSL/TLS testing purpose. It allows you to analyze the SSL/TLS configuration of a given website or IP address.
When you access this URL, the SSL Labs tool performs a series of tests and assessments on the SSL/TLS configuration of the specified domain (google.com) or IP address (142.251.40.46). It checks various aspects of the configuration, including the supported TLS versions, cipher suites, certificate validity, and other security-related settings.
The tool generates a detailed report on the SSL/TLS configuration and assigns a grade (from A+ to F) based on the overall security and compliance level.
Using this SSL Labs tool, you can gain insights into the SSL/TLS security of a website or IP address, helping you assess its security posture and identify potential vulnerabilities or misconfigurations.
Check the TLS version in Linux
Some vendors already have terminated the support for earlier TLS versions (TLS 1.0 and TLS 1.1) and have completely migrated to TLS version 1.2 even 1.3.
Here’s how you can check TLS version in Linux using openssl command.
- Open a terminal on your Linux system.
- Type the following command to check the TLS version supported by a specific website: openssl s_client -connect example.com:443 -tls1_2
- Replace example.com with the domain or website you want to check. The option -tls1_2 specifies that you want to check the TLS 1.2 version specifically. You can replace it with -tls1_3 or other versions to check different TLS versions.
If the connection is successful, you will see information about the TLS handshake and the negotiated version.
Alternatively, you can omit the specific TLS version option to let openssl negotiate the supported version automatically:
openssl s_client -connect example.com:443
This command will establish an SSL/TLS connection to the specified domain on the default HTTPS port (443) and display information about the negotiated TLS version.
Please note that the openssl command should be installed on your Linux system for these commands to work. If it’s not available, you may need to install it using your package manager, such as apt or yum.
We can use the following command to check if which TLS version google.com supports.
#openssl s_client -connect www.google.com:443 -tls1
#openssl s_client -connect www.google.com:443 -tls1_1
#openssl s_client -connect www.google.com:443 -tls1_2
#openssl s_client -connect www.google.com:443 -tls1_3
- -tls1 for TLSv1
- -tls1_1 for TLSv1.1
- -tls1_2 for TLSv1.2
We can also use nmap command to check the TLS version in Linux.
nmap --script ssl-enum-ciphers -p 443 www.google.com
When you execute this command, Nmap will initiate a scan against the target domain on port 443. The ssl-enum-ciphers script will then perform a series of tests to enumerate the supported SSL/TLS ciphers on the server. It will gather information about the cipher suites, their strength, encryption algorithms, and other relevant details.
The script will generate a report that lists the identified SSL/TLS ciphers and their associated properties. This information can be helpful in assessing the security level and cipher suite configuration of the target server.
# nmap --script ssl-enum-ciphers -p 443 www.google.com Starting Nmap 7.70 ( https://nmap.org ) at 2023-05-27 08:05 GMT Nmap scan report for www.google.com (142.251.46.228) Host is up (0.00062s latency). Other addresses for www.google.com (not scanned): 2607:f8b0:4005:810::2004 rDNS record for 142.251.46.228: sfo03s27-in-f4.1e100.net PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.1: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
Related: