During an Istio set-up with all the SSL Stuff, I had some issues with SSL. So I found the following commands to do some tests.
With OpenSSL, we can check if an endpoint support a specific version of TLS, and if yes, with which certificate.
Example to test google.com on port 443 with TLS 1.2
openssl s_client -connect google.com:443 -tls1_2
To test with other versions of TLS, you just need to change tls1_2 by tls1_1 or tls1_3.
Example of an answer where the endpoint support TLS 1.2
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = example.com verify return:1 --- Certificate chain 0 s:/CN=example.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -------- Server certificate ----------BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgISA0nt67i+GAazJs4e+bBSMqB6MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MjMyMTU5MDBaFw0x NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBANLrc8IH2BP51XLhR6L2/IjRuNYcoj6UH58K NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASI......... dl0= ----------END CERTIFICATE----- subject=/CN=example.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -------- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-384, 384 bits -------- SSL handshake has read 3019 bytes and written 463 bytes -------- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: DF39CB241F6580C6E6570E0E9827D7F8615A71A76359DB4F9D1B9D3AD Session-ID-ctx: Master-Key: 12E8FF788E15AAA2E95BE35C5864784B90ED5A9AE8352AFE98C7DCADB04E Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1502214066 Timeout : 7200 (sec) Verify return code: 0 (ok) -------- closed
Sometimes you need to do some calls with a specific version of TLS. So here, with curl, you can add parameters to define which version of TLS you want to use.
curl --tlsv1.2 --tls-max 1.2
If you are not sure about which ciphers are supported by your server, you can use the following command to list them.
openssl ciphers -v
Example of one line representing a cipher. Normally you should have a couple of lines like this one.
... ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ...
I hope it will help you!
Please don't hesitate to give me feedback to help me to improve my writing skills.