tls_test.sh

Question

我用Google搜索了

https://serverfault.com/questions/638691/how-can-i-verify-if-tls-1-2-is-supported-on-a-remote-web-server-from-the-rhel-ce，

命令：

openssl s_client -connect google.com:443 -tls1_2

由于＆＃34;未知选项-tls1_2＆＃34;

在MacOS上不起作用错误。

Answer 1

您可以使用curl进行测试。我相信在OS X上安装了curl命令行工具。

$ curl https://google.com/ --tlsv1.2 --verbose
*   Trying 46.134.192.54...
* Connected to google.com (46.134.192.54) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.43.0
> Accept: */*

Answer 2

感谢此页面上的this great answer，我编写了这个简单的脚本来测试服务器的TLS 1.0,1.1和1.2支持。这应该适用于任何linux / unix风格，我怀疑，并且肯定适用于Mac，因为我用它来测试它

$ tls_test.sh tls1test.salesforce.com
TLS1.2 is supported on tls1test.salesforce.com
TLS1.1 is supported on tls1test.salesforce.com
### TLS1.0 is NOT SUPPORTED on tls1test.salesforce.com ###

tls_test.sh

#!/usr/bin/env bash

die()
{
  echo "$*"
  exit;
}

# Get server to test, and timeout in seconds
server=$1
timeout_in_seconds=${2:-20}
case "$timeout_in_seconds" in
  ''|*[!0-9]*) die "Your timeout value should be an integer value, not '$2'"
esac

# where to log full responses to
dump_file=${3:-/tmp/__dump_tls_info}
rm -f "$dump_file"

show_help()
{
  me=$(basename "$0")
  info=$(cat <<EOF
  Shows which versions of TLS a server supports.

  usage: $me SERVER {TIMEOUT_IN_SECONDS} {DUMP_FILE}

  e.g.  The following are public test servers that demonstrate
  support for various TLS versions.

  $ $me tls1test.salesforce.com       # validate TLS 1.0 is blocked
  $ $me tls-v1-0.badssl.com:1010      # validate only TLS 1.0 enabled
  $ $me tls-v1-1.badssl.com:1011      # validate only TLS 1.1 enabled
  $ $me smtp.gmail.com:465            # validate TLS 1.0+ are all supported

  Note: default timeout in seconds is 20, and it dumps full output to $dump_file
EOF
  )
  echo "$info"
  exit
}

if [ -z "$server" ]; then
  show_help
fi

testTLS()
{
  tls="$1"
  tlsDisplay=${2:-$1}
  if [ -n "$tls" ]; then
    tls_cmd="--tlsv$1"
  else
    tls_cmd=""
  fi

  CMD="curl --max-time "$timeout_in_seconds" -v -I --silent "$tls_cmd" "https://$server/""
  OUT=$($CMD 2>&1)
  CURL_VERSION=$(curl --version)
  OUT_CURL_OLD=$(echo "$OUT" | grep "option --tls" | grep "unknown")
  OUT_TLS=$(echo "$OUT" | grep "topped the pause stream")
  OUT_TLS_HANDSHAKE=$(echo "$OUT" | grep "handshake fail")
  OUT_TIMEOUT=$(echo "$OUT" | grep "onnection timed out after")

  {
    echo 
    echo "#######################################"
    echo "testing TLS$tls is supported on $server"
    echo "curl version: $CURL_VERSION"
    echo "curl location: `which curl`"
    echo "os version: `sw_vers`"
    echo "ran the following:"
    echo "$CMD"
    echo "$OUT"
    echo 
  } >> "$dump_file"

  if [ -n "$OUT_TIMEOUT" ]; then
    echo "connection to $server timed out after $timeout_in_seconds seconds"
  fi
  if [ -n "$OUT_CURL_OLD" ]; then
    echo "Your version of curl is too old, and can't test for TLS $tls support"
    return;
  fi

  if [ -n "$OUT_TLS" ]; then
    echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
  else
    if [ -n "$OUT_TLS_HANDSHAKE" ]; then
      echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
    else
      echo "TLS $tlsDisplay is supported on $server"
    fi
  fi
}

testTLS 1.2
testTLS 1.1
testTLS 1.0

Answer 3

您可以尝试这样的事情：

nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.google.com

Answer 4

这可能是因为您的openssl很旧，它没有TLSv1.2更新。请考虑升级您的openssl，然后它应该可以工作。我已经在Mac上测试过了，效果很好。同样，现在市场上有TLSv1.3，但我尚未将Openssl升级到最新版本，因此，对于-tsl1_3，我会遇到相同的错误

如何在Mac OS上测试远程服务器是否支持tls1.2

4 个答案:

tls_test.sh