SSL vs TLS and how to check TLS version in Linux

Last updated: May 27, 2023
David Cao
Linux

Both SSL and TLS protocols aim to protect sensitive information used during transactions such as payment processing that requires authentication to prove the identity of our server to the users.

TLS 1.3 is the latest version of the TLS protocol. It is a descendent of SSL and is regarded to be more powerful and effective. OpenSSL command is the easiest way to check TLS version. The following commands can be used to find TLS version:

openssl s_client -connect host.com:443 -tls1
openssl s_client -connect host.com:443 -tls1_1
openssl s_client -connect host.com:443 -tls1_2
openssl s_client -connect host.com:443 -tls1_3
nmap –script ssl-enum-ciphers -p 443 host.com

Understanding SSL

SSL stands for “Secure Socket Layer.”

Netscape developed the first version of SSL in 1995.
SSL is a cryptographic protocol that uses explicit connections to establish secure communication between web server and client.
Three versions of SSL have been released: SSL 1.0, 2.0, and 3.0.
All versions of SSL have been found vulnerable, and they all have been deprecated.

Understanding TLS

TLS stands for “Transport Layer Security.”

The first version of TLS was developed by the Internet Engineering Taskforce (IETF) in 1999.
Four versions of TLS have been released: TLS 1.0, 1.1, 1.2, and 1.3.
TLS is also a cryptographic protocol that provides secure communication between web server and client via implicit connections. It’s the successor of SSL protocol.
TLS 1.0 and 1.1 have been “broken” and are deprecated as of March 2020. TLS 1.2 is the most widely deployed protocol version.

Which is more secure for SSL and TLS?

TLS provides a more robust message authentication system, key material generation along other encryption algorithms when compared to SSL. Thus, TLS provides support with remote passwords, elliptical curve keys and pre-shared keys which are not supported by SSL. TLS still provides backward compatibility for older devices.

The TLS protocol works on two layers where the TLS record protocol provides security to connections. The TLS handshake protocol brings together the client and the server for security key negotiation. Both client and the server authenticate each other before any data transmission.

Understanding SSL Certificates and TLS Certificates

That’s because both “SSL certificate” and “TLS certificate” essentially mean the same thing: They’re both X.509 digital certificates that help to authenticate the server and facilitate the handshake process to create a secure connection.

Some people call them “SSL certificates,” while others refer to them as “TLS certificates.” The name doesn’t matter much because a certificate isn’t the same thing as the protocol. Whatever we call them, what matters is the protocol that it operates on. And these protocols are determined by our server configuration, not by the digital certificates.

Latest TLS version

TLS 1.3 is the latest version of the TLS protocol. TLS, which is used by HTTPS and other network protocols for encryption, is the modern version of SSL. TLS 1.3 dropped support for older, less secure cryptographic features, and it sped up TLS handshakes, among other improvements.

Check TLS version on SSLlabs

SSL Labs is a tool for SSL/TLS testing purpose. It allows you to analyze the SSL/TLS configuration of a given website or IP address.

When you access this URL, the SSL Labs tool performs a series of tests and assessments on the SSL/TLS configuration of the specified domain (google.com) or IP address (142.251.40.46). It checks various aspects of the configuration, including the supported TLS versions, cipher suites, certificate validity, and other security-related settings.

The tool generates a detailed report on the SSL/TLS configuration and assigns a grade (from A+ to F) based on the overall security and compliance level.

Using this SSL Labs tool, you can gain insights into the SSL/TLS security of a website or IP address, helping you assess its security posture and identify potential vulnerabilities or misconfigurations.

Check the TLS version in Linux

Some vendors already have terminated the support for earlier TLS versions (TLS 1.0 and TLS 1.1) and have completely migrated to TLS version 1.2 even 1.3.

Here’s how you can check TLS version in Linux using openssl command.

Open a terminal on your Linux system.
Type the following command to check the TLS version supported by a specific website: openssl s_client -connect example.com:443 -tls1_2
Replace example.com with the domain or website you want to check. The option -tls1_2 specifies that you want to check the TLS 1.2 version specifically. You can replace it with -tls1_3 or other versions to check different TLS versions.

If the connection is successful, you will see information about the TLS handshake and the negotiated version.

Alternatively, you can omit the specific TLS version option to let openssl negotiate the supported version automatically:

openssl s_client -connect example.com:443

This command will establish an SSL/TLS connection to the specified domain on the default HTTPS port (443) and display information about the negotiated TLS version.

Please note that the openssl command should be installed on your Linux system for these commands to work. If it’s not available, you may need to install it using your package manager, such as apt or yum.

We can use the following command to check if which TLS version google.com supports.

#openssl s_client -connect www.google.com:443 -tls1
#openssl s_client -connect www.google.com:443 -tls1_1
#openssl s_client -connect www.google.com:443 -tls1_2
#openssl s_client -connect www.google.com:443 -tls1_3

-tls1 for TLSv1
-tls1_1 for TLSv1.1
-tls1_2 for TLSv1.2

We can also use nmap command to check the TLS version in Linux.

nmap --script ssl-enum-ciphers -p 443 www.google.com

When you execute this command, Nmap will initiate a scan against the target domain on port 443. The ssl-enum-ciphers script will then perform a series of tests to enumerate the supported SSL/TLS ciphers on the server. It will gather information about the cipher suites, their strength, encryption algorithms, and other relevant details.

The script will generate a report that lists the identified SSL/TLS ciphers and their associated properties. This information can be helpful in assessing the security level and cipher suite configuration of the target server.

# nmap --script ssl-enum-ciphers -p 443 www.google.com
Starting Nmap 7.70 ( https://nmap.org ) at 2023-05-27 08:05 GMT
Nmap scan report for www.google.com (142.251.46.228)
Host is up (0.00062s latency).
Other addresses for www.google.com (not scanned): 2607:f8b0:4005:810::2004
rDNS record for 142.251.46.228: sfo03s27-in-f4.1e100.net

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

4 Ways to Check SSL certificate

David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

howtouselinux.com is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative.

Learn More

RHCSA Practice Exam

RHCSA Practice Exam A General Notes Here are some tips to ensure your exam starts with a clean environment: You do not need external servers

5 formas de verificar la dirección IP en Linux

Cómo verificar la dirección IP en Linux En el entorno de Linux, es esencial poder verificar la dirección IP de su sistema. La dirección IP

50 RHCSA exam questions and answers

The RHCSA (Red Hat Certified System Administrator) exam is a performance-based certification exam offered by Red Hat. It is designed to validate the skills and

Understanding Linux MAC Addresses: 10 Common Questions Answered

Understanding MAC address in Linux In Linux, a MAC address (Media Access Control address) is a unique identifier assigned to a network interface. It is

Search files by size in Linux

There are a few different ways to search files by size in Linux. One way is to use the find command. The find command is

2 ways to fix could not load server certificate file ‘server.crt’: No such file or directory in PostgreSQL

The error “could not load server certificate file ‘server.crt’: No such file or directory” in PostgreSQL indicates that the server is unable to find the

Enable SSL in Postgresql

Enabling SSL in PostgreSQL is a straightforward process that only requires three simple steps: Make sure we have the server certificate and key files available

2 ways to Preserve file permissions when copying files in Linux

Preserve file permissions using -p option in cp command To preserve the file permissions when copying files or directories using the cp command, you can

2 ways to fix cp Permission denied error

The error message “cp: Permission denied” typically occurs when the user doesn’t have permission to access the source file or the destination directory. Here are