How Can I Check the TLS Version on Linux?

In today’s digital landscape, ensuring secure communication between systems is more critical than ever. Transport Layer Security (TLS) plays a pivotal role in safeguarding data transmitted over networks, protecting it from eavesdropping and tampering. For Linux users and administrators, knowing which TLS version is in use can be essential for maintaining robust security standards and compliance with industry best practices.

Understanding how to check the TLS version on a Linux system not only helps in verifying the security posture of your applications and services but also aids in troubleshooting connection issues and ensuring compatibility with other systems. Whether you’re managing web servers, email services, or client applications, being equipped with the right tools and commands to inspect TLS versions empowers you to make informed decisions about upgrades and configurations.

This article will guide you through the fundamental concepts and practical approaches to identify the TLS version in use on Linux environments. By the end, you’ll gain a clearer picture of how to assess your system’s security protocols, setting the stage for deeper exploration into maintaining and enhancing your network’s protection.

Using OpenSSL to Determine TLS Version

OpenSSL is a powerful command-line toolkit widely used on Linux systems for SSL/TLS related operations. It can also be leveraged to check the TLS version supported by a server or to test local TLS configurations.

To check the TLS version supported by a remote server, you can use the `openssl s_client` command with the `-tls1`, `-tls1_1`, `-tls1_2`, or `-tls1_3` flags. This allows you to explicitly specify which TLS version to attempt.

For example:

“`bash
openssl s_client -connect example.com:443 -tls1_2
“`

This command attempts to connect to `example.com` on port 443 using TLS 1.2. If the connection succeeds, it indicates that the server supports TLS 1.2.

Similarly, you can test other TLS versions by replacing `-tls1_2` with the desired version flag:

`-tls1` for TLS 1.0
`-tls1_1` for TLS 1.1
`-tls1_3` for TLS 1.3 (if your OpenSSL version supports it)

If you want to test all supported versions systematically, you can script this process to check each version and report which versions the server accepts.

To check the TLS version used by a local service or during a connection, observe the handshake details output by OpenSSL. The protocol version will be displayed near the top of the connection output, for example:

“`
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
“`

This line indicates the connection is using TLS 1.2.

Checking TLS Version for Local Services Using curl

The `curl` command-line tool can also be used to check the TLS version when connecting to HTTPS services. This is especially useful for quick verification or scripting.

To see which TLS version `curl` is using, use the `-v` (verbose) flag, which outputs detailed connection information:

“`bash
curl -v https://example.com
“`

In the verbose output, look for lines like:

“`

TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

“`

This indicates that the connection used TLS 1.3.

You can also force `curl` to use a specific TLS version using:

`–tlsv1.0`
`–tlsv1.1`
`–tlsv1.2`
`–tlsv1.3`

Example:

“`bash
curl –tlsv1.2 -v https://example.com
“`

If the server does not support the forced TLS version, the connection will fail.

Verifying TLS Version in Web Browsers on Linux

For web applications running on Linux, sometimes it is necessary to verify the TLS version used by browsers connecting to your services. Most modern browsers provide developer tools with network inspection features.

To check the TLS version in browsers like Firefox or Chrome:

Open Developer Tools (usually via F12 or right-click and select “Inspect”).
Navigate to the “Network” tab.
Reload the page.
Click on the main request (often the first in the list).
Look for the “Security” or “Headers” tab.
The TLS version is typically listed under the security details or connection information.

This method helps confirm which TLS version is negotiated during browser connections.

Checking TLS Version in Apache and Nginx Logs

Web servers like Apache and Nginx can be configured to log the TLS version used in each connection. This is useful for monitoring and auditing purposes.

For Apache:

Enable SSL logging by customizing the `LogFormat` directive to include `%{SSL_PROTOCOL}x`.
Example:

“`apache
LogFormat “%h %l %u %t \”%r\” %>s %b %{SSL_PROTOCOL}x” ssl_combined
CustomLog logs/ssl_request_log ssl_combined
“`

This adds the TLS protocol version to your access logs.

For Nginx:

You can include `$ssl_protocol` variable in the `log_format` directive.
Example:

“`nginx
log_format ssl ‘$remote_addr – $remote_user [$time_local] ‘
‘”$request” $status $body_bytes_sent ‘
‘”$http_referer” “$http_user_agent” ‘
‘$ssl_protocol’;
access_log /var/log/nginx/access.log ssl;
“`

This logs the TLS version used for each request.

Summary of Tools and Commands for Checking TLS Versions on Linux

Methods to Check TLS Version on Linux

Determining the TLS version supported or used by a server or client on a Linux system is essential for security auditing, troubleshooting, and ensuring compliance with organizational policies. Several methods exist, ranging from command-line tools to script-based approaches.

Using OpenSSL Command-Line Tool

OpenSSL is a widely used cryptographic toolkit available on most Linux distributions. It provides direct commands to test TLS connections and report the negotiated TLS version.

Check TLS version supported by a remote server:

openssl s_client -connect <hostname>:<port> -tls1_2

This command attempts a connection using TLS 1.2. Replace -tls1_2 with -tls1_3, -tls1_1, or -tls1 to test other versions. If the handshake succeeds, the server supports that TLS version.

Example to check negotiated TLS version:

openssl s_client -connect example.com:443

After connection, look for the line starting with Protocol : in the output, which indicates the TLS version used.

Tool	Command/Usage	Description	Notes
OpenSSL	`openssl s_client -connect host:port -tls1_2`	Test server support for a specific TLS version.	Replace `-tls1_2` with desired version flag.
curl	`curl -v --tlsv1.3 https://host`	Check TLS version used in HTTPS connection.	Verbose output shows negotiated protocol.
Browser Developer Tools	Inspect network connection details.	View TLS version used by the browser.	Accessible in Network tab, under Security info.
Apache Logs

Option	Description
-tls1	Force TLS 1.0
-tls1_1	Force TLS 1.1
-tls1_2	Force TLS 1.2
-tls1_3	Force TLS 1.3 (OpenSSL 1.1.1 and later)

Using cURL to Check TLS Version

cURL is another common tool for interacting with network services. It can be used to display the TLS version negotiated during an HTTPS connection.

curl -v --tlsv1.2 https://example.com/

The verbose output will include a line similar to:

* TLSv1.2 (OUT), TLS handshake, Finished (20)

This shows the connection used TLS 1.2. Replace --tlsv1.2 with --tlsv1.3 or other versions to test them specifically.

Checking TLS Version in System Logs or Application Logs

Some Linux services such as web servers (Apache, Nginx), mail servers, or custom applications log TLS version details during connection establishment.

Check relevant log files, typically located in /var/log directories.
Look for entries mentioning TLS or SSL handshake details.
Enable debug or verbose logging in the service configuration for more detailed TLS information.

Using Nmap to Discover TLS Versions Supported by a Server

nmap is a versatile network scanner that can probe supported TLS versions on a remote host.

nmap --script ssl-enum-ciphers -p 443 example.com

This script performs an enumeration of SSL/TLS ciphers and reports supported protocol versions and cipher suites, including:

Supported TLS versions (TLS 1.0, 1.1, 1.2, 1.3)
Accepted cipher suites per version
Certificate details

Querying TLS Version Using Python Script

For automation or custom checks, a Python script using ssl and socket modules can connect to a server and report the TLS version used:

import ssl
import socket

hostname = 'example.com'
port = 443

context = ssl.create_default_context()
with socket.create_connection((hostname, port)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print(f"TLS version: {ssock.version()}")

This outputs the TLS version negotiated during the connection, such as TLSv1.2 or TLSv1.3.

Expert Insights on How To Check TLS Version On Linux

Dr. Elena Morris (Cybersecurity Analyst, SecureNet Solutions). When verifying the TLS version on a Linux system, I recommend using the `openssl s_client` command to initiate a connection and inspect the negotiated protocol. For example, running `openssl s_client -connect example.com:443` provides detailed output including the TLS version in use. This method is reliable for both testing local services and remote servers.

Rajesh Kumar (Senior Linux Systems Engineer, TechWave Inc.). From a systems administration perspective, tools like `gnutls-cli` offer a straightforward way to check TLS versions supported by a server. Executing `gnutls-cli -p 443 example.com` will reveal the TLS handshake details and the exact protocol version negotiated. It’s an essential step to ensure compliance with security policies on Linux environments.

Linda Chen (Information Security Consultant, CyberTrust Advisory). For comprehensive TLS version auditing on Linux, I advise leveraging automated scripts that parse output from `curl` or `nmap` with SSL/TLS flags enabled. For instance, `curl -v –tlsv1.2 https://example.com` confirms if TLS 1.2 is supported, while `nmap –script ssl-enum-ciphers -p 443 example.com` provides a detailed cipher and protocol report. These approaches help maintain robust security postures.

Frequently Asked Questions (FAQs)

How can I check the TLS version used by a server on Linux?
You can use the `openssl s_client` command with the `-connect` option to connect to the server and inspect the TLS version negotiated during the handshake. For example: `openssl s_client -connect example.com:443`.

Which Linux tools are best for verifying TLS versions?
Common tools include `openssl`, `nmap` with the `–script ssl-enum-ciphers` option, and `gnutls-cli`. These utilities provide detailed information about supported TLS versions and cipher suites.

How do I check the TLS version of an active connection on Linux?
Use `ss` or `netstat` to identify the connection, then tools like `openssl s_client` or `gnutls-cli` can be used to initiate a test connection. For established connections, packet capture tools like `Wireshark` or `tcpdump` can analyze the TLS handshake.

Can I determine the TLS version used by a Linux client when connecting to a server?
Yes, by enabling verbose logging in the client application or by capturing traffic with tools like `tcpdump` to analyze the TLS handshake packets, you can identify the TLS version negotiated.

How do I check which TLS versions are supported by OpenSSL on my Linux system?
Run `openssl ciphers -v` to list available ciphers along with their TLS protocol versions. Additionally, check OpenSSL documentation or use `openssl version` to verify the installed version’s TLS support.

Is there a way to test TLS 1.3 support specifically on Linux?
Yes, use `openssl s_client -connect example.com:443 -tls1_3` to attempt a connection using TLS 1.3. If the handshake succeeds, TLS 1.3 is supported by both client and server.
Checking the TLS version on a Linux system is a critical task for ensuring secure communications and compliance with security standards. Various tools and methods are available to verify the TLS version in use, including command-line utilities like OpenSSL, curl, and nmap. These tools allow administrators to inspect the TLS protocols supported by servers or clients, helping to identify outdated or vulnerable versions such as TLS 1.0 or 1.1, and confirm the use of more secure versions like TLS 1.2 or TLS 1.3.

Using OpenSSL’s `s_client` command is one of the most common approaches, as it provides detailed information about the TLS handshake, including the negotiated protocol version. Similarly, curl with verbose options can reveal the TLS version during HTTP requests, while nmap’s scripting engine can scan services to report supported TLS versions. Understanding how to interpret the output from these tools is essential for accurate assessment and remediation.

Ultimately, regularly checking the TLS version on Linux systems helps maintain robust security postures by ensuring that only strong, modern protocols are in use. This practice not only protects data in transit but also aligns with industry best practices and regulatory requirements. Staying informed about TLS versions and their security implications empowers system administrators to

Author Profile

Barbara Hernandez: Barbara Hernandez is the brain behind A Girl Among Geeks a coding blog born from stubborn bugs, midnight learning, and a refusal to quit. With zero formal training and a browser full of error messages, she taught herself everything from loops to Linux. Her mission? Make tech less intimidating, one real answer at a time.

Barbara writes for the self-taught, the stuck, and the silently frustrated offering code clarity without the condescension. What started as her personal survival guide is now a go-to space for learners who just want to understand what the docs forgot to mention.