How Can I Check the SSL Version on Linux?
In today’s digital landscape, ensuring secure communication is more important than ever, and SSL (Secure Sockets Layer) plays a pivotal role in safeguarding data transmissions. For Linux users and administrators, knowing how to check the SSL version installed on their system is a fundamental step in maintaining robust security protocols. Whether you’re managing a web server, troubleshooting connectivity issues, or simply verifying your system’s cryptographic capabilities, understanding your SSL version can provide critical insights into your security posture.
Linux, with its diverse distributions and open-source tools, offers multiple ways to inspect SSL versions, each tailored to different environments and use cases. From command-line utilities to library checks, these methods help users confirm whether they are running up-to-date and secure SSL implementations. Staying informed about your SSL version not only aids in compliance with security standards but also helps prevent vulnerabilities associated with outdated cryptographic protocols.
This article will guide you through the essentials of checking SSL versions on Linux systems, offering a clear overview of why it matters and how you can quickly verify your setup. Whether you’re a seasoned sysadmin or a curious user, gaining this knowledge is a valuable step toward ensuring your Linux environment remains secure and trustworthy.
Using OpenSSL Command Line to Check SSL Version
The most direct way to check the SSL/TLS version supported or in use on a Linux system is by utilizing the OpenSSL command-line tool. OpenSSL is a robust toolkit for SSL/TLS protocols and cryptography, typically pre-installed on most Linux distributions.
To determine the OpenSSL version installed, which indirectly informs about the supported SSL/TLS protocols, run:
“`bash
openssl version
“`
This command outputs the OpenSSL version and build date, which helps identify the supported SSL/TLS versions based on OpenSSL’s release notes.
To check the SSL/TLS version supported by a remote server, use the `s_client` option as follows:
“`bash
openssl s_client -connect example.com:443 -tls1_2
“`
Replace `example.com` with the server hostname or IP. The `-tls1_2` flag forces the connection attempt using TLS 1.2. You can substitute this with `-ssl3`, `-tls1`, `-tls1_1`, `-tls1_3` to test different protocol versions.
If the connection succeeds, the server supports that protocol version; if it fails, it does not.
Key OpenSSL options for protocol testing include:
- `-ssl3` — Test SSL version 3
- `-tls1` — Test TLS version 1.0
- `-tls1_1` — Test TLS version 1.1
- `-tls1_2` — Test TLS version 1.2
- `-tls1_3` — Test TLS version 1.3
This approach is beneficial for administrators validating server-side protocol support or troubleshooting SSL/TLS compatibility issues.
Checking SSL/TLS Version with GnuTLS Tools
GnuTLS is another commonly used SSL/TLS library in Linux environments. It provides command-line utilities to inspect SSL/TLS versions and cipher suites.
The `gnutls-cli` command allows you to connect to a server and check supported protocol versions. For example:
“`bash
gnutls-cli –priority NORMAL example.com -p 443
“`
The `–priority` option specifies the protocol and cipher priorities. `NORMAL` is a default priority string that allows negotiation of commonly accepted protocols and ciphers.
To check specific protocol versions, you can adjust the priority string. For example, to test only TLS 1.2:
“`bash
gnutls-cli –priority “TLS1.2” example.com -p 443
“`
If the handshake is successful, the server supports TLS 1.2.
This tool provides detailed output including:
- Protocol version negotiated
- Cipher suite used
- Certificate details
Using GnuTLS tools complements OpenSSL and is helpful in environments where GnuTLS is preferred or OpenSSL is unavailable.
Viewing SSL/TLS Versions Supported by Web Servers
Web servers such as Apache HTTP Server and Nginx allow administrators to configure supported SSL/TLS protocols explicitly. Checking these configurations can confirm which versions are enabled.
For Apache, SSL/TLS versions are controlled by the `SSLProtocol` directive in the SSL configuration file (often found under `/etc/httpd/conf.d/ssl.conf` or `/etc/apache2/mods-enabled/ssl.conf`):
“`apache
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
“`
This example enables all protocols except SSLv3, TLS 1.0, and TLS 1.1, effectively supporting TLS 1.2 and above.
For Nginx, SSL/TLS versions are set with the `ssl_protocols` directive inside the server block or configuration file (e.g., `/etc/nginx/nginx.conf` or `/etc/nginx/sites-available/default`):
“`nginx
ssl_protocols TLSv1.2 TLSv1.3;
“`
This line configures Nginx to accept only TLS 1.2 and TLS 1.3 connections.
To check the currently active SSL/TLS protocols used by the running web server, you can:
- Review the configuration files as described.
- Use external SSL testing tools like [SSL Labs](https://www.ssllabs.com/ssltest/) to analyze the live server.
- Use OpenSSL or GnuTLS commands against the server to test supported versions.
Checking SSL Version of Installed Libraries and Binaries
Sometimes, it’s necessary to verify the SSL/TLS version support of installed libraries or binaries on the Linux system itself, especially when troubleshooting applications dependent on specific SSL versions.
Some methods include:
- Listing installed OpenSSL packages and versions:
“`bash
rpm -qa | grep openssl For RPM-based distros like CentOS, Fedora
dpkg -l | grep openssl For Debian-based distros like Ubuntu
“`
- Using `ldd` to check linked SSL libraries for a binary:
“`bash
ldd /usr/bin/curl | grep ssl
“`
This command shows which SSL libraries the `curl` binary uses, helping to understand which SSL version might be involved.
- Checking OpenSSL shared library versions:
“`bash
openssl version -a
“`
Outputs detailed version and build information including the OpenSSL version number, options, and directory paths.
Command | Purpose | Example Output | |||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
openssl version | Show OpenSSL version installed | OpenSSL 1.1.1f 31 Mar 2020 | |||||||||||||||||||||||||||
openssl s_client -connect host:443 -tls1_2 | Test server support for TLS 1.2 | Successful handshake or error | |||||||||||||||||||||||||||
gnutls
Checking OpenSSL Version on LinuxTo determine the version of OpenSSL installed on a Linux system, use the command-line interface. OpenSSL is the most common SSL/TLS toolkit used on Linux, and its version directly affects the supported protocols and security features. Follow these steps to check the OpenSSL version:
This command outputs the OpenSSL version installed, for example:
If you need additional details about the OpenSSL build, including supported protocols and features, use:
Ensure you have OpenSSL installed; otherwise, the command will not be found. You can install it using your package manager, for example:
Checking SSL/TLS Version Supported by OpenSSLTo verify which SSL/TLS protocol versions are supported by your OpenSSL installation, you can test the available protocols using OpenSSL’s command-line options. Use the
If the connection succeeds, the protocol is supported both by OpenSSL and the remote server. If the connection fails, it indicates the protocol is either disabled or unsupported. Verifying SSL Version of a Specific Server Using OpenSSLYou can check the SSL/TLS version used by a specific server during the handshake by connecting to it with OpenSSL’s Run the following command to establish an SSL/TLS connection and observe the negotiated protocol version:
Look for the line beginning with
This approach is useful for troubleshooting and verifying the SSL/TLS settings of web servers, mail servers, or other SSL-enabled services. Using Package Managers to Check Installed SSL VersionDepending on your Linux distribution, you can also check the installed OpenSSL package version using the system’s package manager.
|