Login/Register
List supported SSL/TLS versions for a specific OpenSSL build
Asked Answered
Solved linuxsslopenssl
M

6

61

I have, for example, OpenSSL version 1.0.0o on my Linux system, and I want to know which SSL/TLS versions are supported with this build.

Is there a shell command to accomplish this?

Median answered 11/12, 2014 at 18:44 Comment(0)
P
22

You can not check for version support via command line. Best option would be checking OpenSSL changelog.

Openssl versions till 1.0.0h supports SSLv2, SSLv3 and TLSv1.0. From Openssl 1.0.1 onward support for TLSv1.1 and TLSv1.2 is added.

Parsons answered 18/12, 2014 at 11:30 Comment(4)
1.0.1s and 1.0.2g up (March 2016) 'disable' SSLv2 (omit from builds) by default but ./Configure can add it back. 1.1.0 base up (Aug. 2016) drops the code for SSLv2 entirely (can't add back) and disables SSLv3 by default.Voluntaryism
Hi @dave_thompson_085, I am looking for a reference (release notes or elsewhere) that mentions the above stated by you regarding SSLv3. Would you please be able to provide one ?Samoyed
@MohammedRaqeeb: I don't see it in the changelog, but it wasn't surprising, as 2016-08 was two years after POODLE and in addition to probably a hundred Qs on Stack, every security-related website in the world had been blaring "DON'T USE SSLv3!!! DON'T USE SSLv3!!!" incessantly.Voluntaryism
@Voluntaryism Yeah, I agree. I had a Customer to whom I need to share this data hence was looking for a clear reference to the deprecating version.Samoyed
T
176

Use this 

openssl ciphers -v | awk '{print $2}' | sort | uniq
Termitarium answered 28/4, 2016 at 20:44 Comment(2)
THIS IS WRONG. The second column in ciphers -v is the minimum version for the ciphersuite; since TLSv1.0 and 1.1 don't add any ciphersuites not present in SSLv3, in 1.0.1 and 1.0.2 this lists only SSLv3 and TLSv1.2 even though 1.0 and 1.1 are supported. In 1.1.0 due to an obvious bug 1.0 is listed, but 1.1 still is not. Also, 1.0.0-2 do support SSLv2 but don't put v2 suites in the default cipherstring, so it isn't listed; that could be fixed by using ALL. (OTOH both SSLv3 and SSLv3 are broken and should not be used.)Voluntaryism
PS: sort|uniq can be replaced by sort -u and awk can suppress duplicates by itself easily if the order doesn't matter or you use GNU awk 4 which has auto-sorting in for. But those are topics for SO.Voluntaryism
P
22

You can not check for version support via command line. Best option would be checking OpenSSL changelog.

Openssl versions till 1.0.0h supports SSLv2, SSLv3 and TLSv1.0. From Openssl 1.0.1 onward support for TLSv1.1 and TLSv1.2 is added.

Parsons answered 18/12, 2014 at 11:30 Comment(4)
1.0.1s and 1.0.2g up (March 2016) 'disable' SSLv2 (omit from builds) by default but ./Configure can add it back. 1.1.0 base up (Aug. 2016) drops the code for SSLv2 entirely (can't add back) and disables SSLv3 by default.Voluntaryism
Hi @dave_thompson_085, I am looking for a reference (release notes or elsewhere) that mentions the above stated by you regarding SSLv3. Would you please be able to provide one ?Samoyed
@MohammedRaqeeb: I don't see it in the changelog, but it wasn't surprising, as 2016-08 was two years after POODLE and in addition to probably a hundred Qs on Stack, every security-related website in the world had been blaring "DON'T USE SSLv3!!! DON'T USE SSLv3!!!" incessantly.Voluntaryism
@Voluntaryism Yeah, I agree. I had a Customer to whom I need to share this data hence was looking for a clear reference to the deprecating version.Samoyed
R
14

This worked for me:

openssl s_client -help 2>&1  > /dev/null | egrep "\-(ssl|tls)[^a-z]"

Please let me know if this is wrong.

Rochdale answered 5/6, 2018 at 11:55 Comment(0)
V
5

It's clumsy, but you can get this from the usage messages for s_client or s_server, which are #ifed at compile time to match the supported protocol versions. Use something like

 openssl s_client -help 2>&1 | awk '/-ssl[0-9]|-tls[0-9]/{print $1}' 
 # in older releases any unknown -option will work; in 1.1.0 must be exactly -help
Voluntaryism answered 1/5, 2018 at 5:26 Comment(0)
B
3

Try the following command:

openssl ciphers

This should produce a list of all of the ciphers supported in your version of openssl.

To see just a particular set of ciphers (e.g. just sslv3 ciphers) try:

openssl ciphers -ssl3

See https://www.openssl.org/docs/apps/ciphers.html for more info.

Beep answered 11/12, 2014 at 21:3 Comment(1)
I am not talking about ciphers.. i want to get supported SSL/TLS versions for specific OpenSSL build. For example: for 1.0.0o, SSL3 and TLS1 is supported.Median
V
-2

When you run OPENSSL command using s_client this is the output. See the Cipher, if the cipher NULL it means that version of TLS is not supported.

TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256
    Session-ID: A84600002D4945DE6
    Session-ID-ctx:
    Master-Key:  
    Start Time: 15852343333860
    Timeout   : 2343 (sec)
    Verify return code: 0 (ok)
Vagal answered 27/3, 2020 at 18:37 Comment(2)
This answers a different question.Lunkhead
Yes, you will need a local web server to perform the test, which may be configured to use not all ciphers. So the result may be incorrect.Jaimeejaimes

© 2022 - 2024 — McMap. All rights reserved.