Overview of the Script
This bash script allows users to test the availability of different versions of Transport Layer Security (TLS) on a given server by prompting for an IP address or hostname. The script checks whether the server supports TLS versions 1.0, 1.1, 1.2, and 1.3 by attempting to establish a connection using the openssl s_client command.
Breakdown of the Script
Let's go through the key components of the script:
-
Prompting for Input:
read -p "Enter the IP address or hostname to test: " HOSTThis line prompts the user to input the IP address or hostname of the server they want to test. The input is stored in the
HOSTvariable for use throughout the script. -
Testing TLS 1.0:
echo "Testing TLS v1.0" openssl s_client -connect "$HOST:443" -tls1The
openssl s_clientcommand attempts to connect to the server using the TLS 1.0 protocol by specifying-tls1. If the server supports TLS 1.0, the command will return a successful connection with relevant details about the certificate and encryption methods. Theechocommand outputs a message indicating that TLS 1.0 is being tested. -
Testing TLS 1.1:
echo "Testing TLS 1.1" openssl s_client -connect "$HOST:443" -tls1_1Similarly, the script tests for support of TLS 1.1 using the
-tls1_1option withopenssl s_client. This helps determine if the server still supports this version of the protocol. -
Testing TLS 1.2:
echo "Testing TLS 1.2" openssl s_client -connect "$HOST:443" -tls1_2The script checks for the more secure TLS 1.2 by specifying
-tls1_2. This version of the protocol has been widely adopted for secure communications and is recommended over older versions like 1.0 and 1.1. -
Testing TLS 1.3 (if applicable):
echo "Testing TLS 1.3" openssl s_client -connect "$HOST:443" -tls1_3The script concludes by checking for the latest version, TLS 1.3. If supported, this provides the most up-to-date and secure communication protocol.
-
Formatting:
printf "\n\n\n\n"After each test, the script outputs some blank lines for readability and separation between each TLS versionโs test results.
Importance of Using TLS 1.2 vs. 1.1 and 1.0
Transport Layer Security (TLS) is a critical protocol used to encrypt communications between web servers and clients, ensuring that data exchanged over the internet remains private and secure. Each version of TLS has brought improvements in terms of security features, and it is important to understand the differences between them.
TLS 1.0 (Deprecated):
- Introduced in 1999, TLS 1.0 is an outdated version of the protocol.
- It has known vulnerabilities that make it unsuitable for modern use, including susceptibility to attacks such as BEAST and POODLE.
- Most organizations and web browsers no longer support TLS 1.0, and its use is actively discouraged by security experts.
TLS 1.1 (Deprecated):
- Introduced in 2006, TLS 1.1 attempted to address some of the vulnerabilities found in TLS 1.0, but it still falls short of modern security standards.
- TLS 1.1 is also considered insecure and has been deprecated alongside TLS 1.0 by major browsers and organizations, including the Internet Engineering Task Force (IETF), which formally deprecated both versions in 2021.
TLS 1.2 (Current Standard):
- Introduced in 2008, TLS 1.2 remains the most widely used and secure version of the protocol in modern web communications.
- TLS 1.2 supports stronger cryptographic algorithms and improved handshake mechanisms, ensuring a more secure connection between servers and clients.
- Many compliance standards, such as PCI-DSS, require organizations to use at least TLS 1.2 to protect sensitive information like credit card data.
TLS 1.3 (Modern Standard):
- Introduced in 2018, TLS 1.3 provides several significant improvements over TLS 1.2, such as faster handshakes (which reduce connection latency) and the removal of outdated, insecure cryptographic algorithms.
- TLS 1.3 offers enhanced security and privacy, but not all systems and networks fully support it yet. However, adoption is increasing as it is considered the best option for secure communications.
Why TLS 1.2 and TLS 1.3 Are Important
Using TLS 1.2 or TLS 1.3 is essential for ensuring the highest level of security for web communications. Older versions like TLS 1.0 and 1.1 are no longer secure and leave data vulnerable to interception and tampering. Some key reasons to prefer TLS 1.2 or higher include:
-
Protection Against Known Attacks: Older protocols like TLS 1.0 and 1.1 have vulnerabilities that attackers can exploit. TLS 1.2 and TLS 1.3 mitigate many of these risks by using more robust encryption methods and eliminating weak ciphers.
-
Compliance Requirements: Many industry standards (e.g., GDPR, PCI-DSS) mandate the use of TLS 1.2 or higher to ensure the security of sensitive data. Failing to comply with these standards can result in penalties and breaches of trust with customers.
-
Browser and Application Support: Most modern browsers have completely phased out support for TLS 1.0 and 1.1. Using these deprecated versions may result in users being unable to connect to your services, damaging user experience and security.
Full Bash Script Code
Here is the full bash script discussed in this article:
#!/bin/bash
# Prompt user for IP or hostname
read -p "Enter the IP address or hostname to test: " HOST
# Test TLS 1.0
echo "Testing TLS v1.0"
openssl s_client -connect "$HOST:443" -tls1
printf "\n\n\n\n"
# Test TLS 1.1
echo "Testing TLS 1.1"
openssl s_client -connect "$HOST:443" -tls1_1
printf "\n\n\n\n"
# Test TLS 1.2
echo "Testing TLS 1.2"
openssl s_client -connect "$HOST:443" -tls1_2
printf "\n\n\n\n"
# Test TLS 1.3 (if applicable)
echo "Testing TLS 1.3"
openssl s_client -connect "$HOST:443" -tls1_3Sample Output:
Testing TLS 1.0 (Fail)
Testing TLS v1.0
CONNECTED(00000003)
140736253109120:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 197 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)Testing TLS 1.2 (Success)
Testing TLS 1.2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com, O = Google LLC, L = Mountain View, ST = California, C = US
i:CN = DigiCert SHA2 Secure Server CA, O = DigiCert Inc, C = US
1 s:CN = DigiCert SHA2 Secure Server CA, O = DigiCert Inc, C = US
i:CN = DigiCert Global Root CA, O = DigiCert Inc, C = US
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIQCKvB6FgUAAAAAAAAAAAABzzANBgkqhkiG9w0BAQsFADA
... (certificate continues)
-----END CERTIFICATE-----
subject=CN = *.google.com, O = Google LLC, L = Mountain View, ST = California, C = US
issuer=CN = DigiCert SHA2 Secure Server CA, O = DigiCert Inc, C = US
---
No client certificate CA names sent
---
SSL handshake has read 4527 bytes and written 489 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 0EA5A...(session id continues)Conclusion
This bash script is a useful tool for testing whether a server supports various versions of TLS. As older versions like TLS 1.0 and 1.1 are deprecated, it is crucial to ensure that servers are using at least TLS 1.2 or 1.3 for secure communications. The use of modern TLS protocols not only helps safeguard data but also ensures compliance with industry standards and provides compatibility with current technologies.