Verifying supported OpenSSL Transport Layer Security protocols
This document (000021475) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12
Situation
How to determine which Transport Layer Security (TLS) protocols are available from an installed OpenSSL package in SUSE Linux Enterprise Server (SLES).
Resolution
There are two ways to verify which protocol (TLS or SSL) an openssl client supports.
Method 1 : 'openssl ciphers' command. Example (from a SLES 15 Service Pack 5):
Note: On a SLES 12 SP5 the output is slightly different, partly caused by inconsistent reporting by the openssl command-line tool in the different versions of the package:
First of all the openssl package in SLES 12 SP5 does not support TLS v. 1.3.
But also SSLv3 covers SSLv3, TLS 1.0 and 1.1 (as the supported ciphers for those 3 are the same).
So, while TLSv1 is not listed, the openssl package does in fact support it.
Method 2: openssl SSL/TLS client program by specifying the SSL/TLS protocol to connect with to remote host.
Relevant protocols : ssl3, tls1, tls1_1, tls1_2, tls1_3
Run a command like the below and look/grep for TLS :
In case the openssl package does not support the protocol, an error like the following (from a SLES 12 SP5) will be returned :
Method 1 : 'openssl ciphers' command. Example (from a SLES 15 Service Pack 5):
openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
Note: On a SLES 12 SP5 the output is slightly different, partly caused by inconsistent reporting by the openssl command-line tool in the different versions of the package:
openssl ciphers -v | awk '{print $2}' | sort | uniq SSLv3 TLSv1.2
First of all the openssl package in SLES 12 SP5 does not support TLS v. 1.3.
But also SSLv3 covers SSLv3, TLS 1.0 and 1.1 (as the supported ciphers for those 3 are the same).
So, while TLSv1 is not listed, the openssl package does in fact support it.
Method 2: openssl SSL/TLS client program by specifying the SSL/TLS protocol to connect with to remote host.
Usage : openssl s_client -connect ;:443 -
Relevant protocols : ssl3, tls1, tls1_1, tls1_2, tls1_3
Run a command like the below and look/grep for TLS :
> openssl s_client -connect updates.suse.com:443 -tls1_2 ... issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Protocol ;: TLSv1.2 ...
In case the openssl package does not support the protocol, an error like the following (from a SLES 12 SP5) will be returned :
openssl s_client -connect updates.suse.com:443 -tls1_3 unknown option -tls1_3
Additional Information
For completeness :
- TLSv1.2 covers TLS 1.2.
- TLSv1.3 covers TLS 1.3.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021475
- Creation Date: 27-Jun-2024
- Modified Date:01-Jul-2024
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
