Testing for Specific Versions of TLS Protocols Using curl

2021-05-20

Ever need to set your web server a specific protocol version of TLS for web servers and need a quick way to test that out to confirm? Let’s check out how to use curl to go just that.

This code here uses curl with the parameters --tlsv1.1 --tls-max 1.1, which will force the max TLS protocol version to 1.1. Using the --verbose parameter gives you the ability to see the TLS handshake and get the output sent to standard out.

The webserver here has a policy that allows only TLS version 1.2+. So in the output, when forcing curl to use TLS version 1.1, the SSL_connect fails since the webserver only permits 1.2+

curl https://www.notarealurl.com --verbose  --tlsv1.1 --tls-max 1.1
*   Trying 52.173.202.109...
* TCP_NODELAY set
* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 
* Closing connection 0
caliases: 
- /blog(35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443

Now, let’s tell curl to use TLS protocol version of 1.2 with the parameters --tlsv1.2 --tls-max 1.2 and see if we can successfully access the webserver. The output below shows a successful TLS 1.2 TLS handshake and some output from the webserver.

curl https://www.notarealurl.com --verbose  --tlsv1.2 --tls-max 1.2
*   Trying 52.173.202.109...
* TCP_NODELAY set
* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=ILLINOIS; L=CHICAGO; O=IT; CN=www.notarealurl.com
*  start date: May 14 00:00:00 2020 GMT
*  expire date: Jul  6 12:00:00 2022 GMT
*  subjectAltName: host "www.notarealurl.com" matched cert's "www.notarealurl.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.notarealurl.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: https://notarealurl.com/
< Server: Microsoft-IIS/10.0
< Set-Cookie: ApplicationGatewayAffinity=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com
< Set-Cookie: ApplicationGatewayAffinityCORS=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com;SameSite=None;Secure
< Date: Thu, 20 May 2021 13:48:14 GMT
< Content-Length: 148
< 
<head><title>Document Moved</title></head>
* Connection #0 to host www.notarealurl.com left intact
<body><h1>Object Moved</h1>This document may be found <a HREF="https://notarealurl.com/">here</a></body>* 
Closing connection 0