Testing for Specific Versions of TLS Protocols Using curl

Ever need to set your web server a specific protocol version of TLS for web servers and need a quick way to test that out to confirm? Let’s check out how to use curl to go just that.

This code here uses curl with the parameters --tlsv1.1 --tls-max 1.1, which will force the max TLS protocol version to 1.1. Using the --verbose parameter gives you the ability to see the TLS handshake and get the output sent to standard out.

The webserver here has a policy that allows only TLS version 1.2+. So in the output, when forcing curl to use TLS version 1.1, the SSL_connect fails since the webserver only permits 1.2+

curl https://www.notarealurl.com --verbose  --tlsv1.1 --tls-max 1.1
*   Trying 52.173.202.109...
* TCP_NODELAY set
* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 

Now, let’s tell curl to use TLS protocol version of 1.2 with the parameters --tlsv1.2 --tls-max 1.2 and see if we can successfully access the webserver. The output below shows a successful TLS 1.2 TLS handshake and some output from the webserver.

curl https://www.notarealurl.com --verbose  --tlsv1.2 --tls-max 1.2
*   Trying 52.173.202.109...
* TCP_NODELAY set
* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=ILLINOIS; L=CHICAGO; O=IT; CN=www.notarealurl.com
*  start date: May 14 00:00:00 2020 GMT
*  expire date: Jul  6 12:00:00 2022 GMT
*  subjectAltName: host "www.notarealurl.com" matched cert's "www.notarealurl.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.notarealurl.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: https://notarealurl.com/
< Server: Microsoft-IIS/10.0
< Set-Cookie: ApplicationGatewayAffinity=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com
< Set-Cookie: ApplicationGatewayAffinityCORS=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com;SameSite=None;Secure
< Date: Thu, 20 May 2021 13:48:14 GMT
< Content-Length: 148
< 
<head><title>Document Moved</title></head>
* Connection #0 to host www.notarealurl.com left intact
<body><h1>Object Moved</h1>This document may be found <a HREF="https://notarealurl.com/">here</a></body>* 
Closing connection 0

2 thoughts on “Testing for Specific Versions of TLS Protocols Using curl

  1. Charlie Arehart

    Very helpful, Anthony. Thanks for the tip.

    And I’d like to offer a couple related to this, if you’re ok with that.

    First, if it may help some folks who want to explore this technique but who may not have a domain of their own to test against, a great free resource is badssl.com, which offers various urls that present different kinds of ssl/tls issues. The front page talks about the many things it can support, and clicking anyone you get a URL that can be used (by your browser or a tool) to check out some behavior.

    So for example, if we run one of your examples against their variant of a domain that supports TLS 1.2, telling the CURL to use at most use 1.1:

    curl https://tls-v1-2.badssl.com:1012/ –verbose –tlsv1.1 –tls-max 1.1

    …we get an error. (Fortunately, that URL is set to not accept a TLS version LESS than 1.2.) And if we change that max to 1.2, so that the command “works”.

    As a second tip: folks may find the output of the command is cluttered and lengthy because it also has the output of the web page being called itself. If you don’t need to see that, it can be hidden. Using Curl’s -o or –output arg, we can just redirect that page output to null: on Linux use –output /dev/null, and on Windows use –output NULL.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.