Blog Post

Testing for Specific Versions of TLS Protocols Using curl

,

Ever need to set your web server a specific protocol version of TLS for web servers and need a quick way to test that out to confirm? Let’s check out how to use curl to go just that.

This code here uses curl with the parameters --tlsv1.1 --tls-max 1.1, which will force the max TLS protocol version to 1.1. Using the --verbose parameter gives you the ability to see the TLS handshake and get the output sent to standard out.

The webserver here has a policy that allows only TLS version 1.2+. So in the output, when forcing curl to use TLS version 1.1, the SSL_connect fails since the webserver only permits 1.2+

curl https://www.notarealurl.com --verbose  --tlsv1.1 --tls-max 1.1
*   Trying 52.173.202.109...
* TCP_NODELAY set
* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 

Now, let’s tell curl to use TLS protocol version of 1.2 with the parameters --tlsv1.2 --tls-max 1.2 and see if we can successfully access the webserver. The output below shows a successful TLS 1.2 TLS handshake and some output from the webserver.

curl https://www.notarealurl.com --verbose  --tlsv1.2 --tls-max 1.2
*   Trying 52.173.202.109...
* TCP_NODELAY set
* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=ILLINOIS; L=CHICAGO; O=IT; CN=www.notarealurl.com
*  start date: May 14 00:00:00 2020 GMT
*  expire date: Jul  6 12:00:00 2022 GMT
*  subjectAltName: host "www.notarealurl.com" matched cert's "www.notarealurl.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.notarealurl.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: https://notarealurl.com/
< Server: Microsoft-IIS/10.0
< Set-Cookie: ApplicationGatewayAffinity=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com
< Set-Cookie: ApplicationGatewayAffinityCORS=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com;SameSite=None;Secure
< Date: Thu, 20 May 2021 13:48:14 GMT
< Content-Length: 148
< 
<head><title>Document Moved</title></head>
* Connection #0 to host www.notarealurl.com left intact
<body><h1>Object Moved</h1>This document may be found <a HREF="https://notarealurl.com/">here</a></body>* 
Closing connection 0

The post Testing for Specific Versions of TLS Protocols Using curl appeared first on Centino Systems Blog.

Original post (opens in new tab)
View comments in original post (opens in new tab)

Rate

5 (2)

You rated this post out of 5. Change rating

Share

Share

Rate

5 (2)

You rated this post out of 5. Change rating