5

I want to disable TLS 1.0 on my server while only keeping TLS 1.1 and TLS 1.2 enabled. I've made the necessary adjustments (I think). How can I check that TLS 1.0 is indeed disabled?

Improve this question
3
  • If you first validate that TLS 1.0 works, then flip a single setting which explicitly says that it disables TLS 1.0 (i.e. restriction by protocol version, not ciphers) and then the previously successful check for TLS 1.0 fails, then you most likely changed the correct setting. But if you cannot verify this way that the documented setting results in the expected behavior and just want to make really sure that some arbitrary server has TLS 1.0 disabled, then it gets far more complicated. Commented Oct 3, 2018 at 8:13
  • 1
    I found this site globalsign.ssllabs.com Commented Oct 4, 2018 at 8:06
  • This is just a branded version of the well-known ssllabs server test which works usually well if you have a public server (you did not say so) which is speaking HTTPS (you did not say this either, might have been a mail server or whatever). But, it only shows you which protocol works with the kind of test they do. They don't show which protocols do not work for the kind of tests they don't do - i.e. they show what protocols are definitely enabled but they cannot say for sure which are definitely disabled. Commented Oct 4, 2018 at 8:32

1 Answer 1

Reset to default
7

You can use OpenSSL to check that easily:

openssl s_client -connect www.myhost.something:443 -tls1

If that succeeds, tls version 1 is enabled.

Improve this answer
5
  • 1
    "If that succeeds, tls version 1 is enabled." - but if this fails it does not mean that TLS 1.0 is disabled. It might just be that there are no shared ciphers, that the server requires a client certificate, that the server requires SNI ... . The OP did not ask how to make sure TLS 1.0 is enabled, he asked how to make sure it is disabled. Commented Oct 3, 2018 at 6:54
  • @SteffenUllrich Then check if TLS 1.1 works afterward: if it does, then it can't very well be a cypher negotiation check...... The result of OpenSSL will contain all the necessary info to infer the cause of the failure. As for the client cert, the OP knows this and can adjust the command to his need. Commented Oct 3, 2018 at 8:14
  • Yes, something like this kind of double check is needed. Like I said in my comment to the question which I wrote at the same time as you wrote your comment: Best make sure that TLS 1.0 works, then flip the switch (change setting...) that explicitly says that it will disable TLS 1.0 protocol version, and then check again that TLS 1.0 does not work any more. If the first check for TLS 1.0 succeeds and the second fails one has most likely changed the relevant setting. Commented Oct 3, 2018 at 8:24
  • 2
    You can also use https://www.ssllabs.com/ssltest/ Commented Mar 19, 2021 at 5:16
  • curl also can help with that, if you run curl --help all you'll see that there are flags --tlsv1.x so just curl your endpoint with the correspoding flag regarding the tls version you are testing. For example curl https://www.myhost.something --tlsv1.0 Commented Jun 27, 2024 at 14:51

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.