如何在 Mac OS 上测试远程服务器是否支持 tls1.2
How to test if a remote server support tls1.2 on Mac OS
我用谷歌搜索并找到
命令:
openssl s_client -connect google.com:443 -tls1_2
由于 "unknown option -tls1_2" 错误,无法在 MacOS 上运行。
您可以使用 curl 来测试它。我相信 curl 是通过命令行工具安装在 OS X 上的。
$ curl https://google.com/ --tlsv1.2 --verbose
* Trying 46.134.192.54...
* Connected to google.com (46.134.192.54) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.43.0
> Accept: */*
感谢此页面上的 ,我编写了这个简单的脚本来测试服务器是否支持 TLS 1.0、1.1 和 1.2。这应该适用于任何 linux/unix 风格,我怀疑,并且绝对适用于 Mac,因为这就是我用来测试它的东西
$ tls_test.sh tls1test.salesforce.com
TLS1.2 is supported on tls1test.salesforce.com
TLS1.1 is supported on tls1test.salesforce.com
### TLS1.0 is NOT SUPPORTED on tls1test.salesforce.com ###
tls_test.sh
#!/usr/bin/env bash
die()
{
echo "$*"
exit;
}
# Get server to test, and timeout in seconds
server=
timeout_in_seconds=${2:-20}
case "$timeout_in_seconds" in
''|*[!0-9]*) die "Your timeout value should be an integer value, not ''"
esac
# where to log full responses to
dump_file=${3:-/tmp/__dump_tls_info}
rm -f "$dump_file"
show_help()
{
me=$(basename "[=11=]")
info=$(cat <<EOF
Shows which versions of TLS a server supports.
usage: $me SERVER {TIMEOUT_IN_SECONDS} {DUMP_FILE}
e.g. The following are public test servers that demonstrate
support for various TLS versions.
$ $me tls1test.salesforce.com # validate TLS 1.0 is blocked
$ $me tls-v1-0.badssl.com:1010 # validate only TLS 1.0 enabled
$ $me tls-v1-1.badssl.com:1011 # validate only TLS 1.1 enabled
$ $me smtp.gmail.com:465 # validate TLS 1.0+ are all supported
Note: default timeout in seconds is 20, and it dumps full output to $dump_file
EOF
)
echo "$info"
exit
}
if [ -z "$server" ]; then
show_help
fi
testTLS()
{
tls=""
tlsDisplay=${2:-}
if [ -n "$tls" ]; then
tls_cmd="--tlsv"
else
tls_cmd=""
fi
CMD="curl --max-time "$timeout_in_seconds" -v -I --silent "$tls_cmd" "https://$server/""
OUT=$($CMD 2>&1)
CURL_VERSION=$(curl --version)
OUT_CURL_OLD=$(echo "$OUT" | grep "option --tls" | grep "unknown")
OUT_TLS=$(echo "$OUT" | grep "topped the pause stream")
OUT_TLS_HANDSHAKE=$(echo "$OUT" | grep "handshake fail")
OUT_TIMEOUT=$(echo "$OUT" | grep "onnection timed out after")
{
echo
echo "#######################################"
echo "testing TLS$tls is supported on $server"
echo "curl version: $CURL_VERSION"
echo "curl location: `which curl`"
echo "os version: `sw_vers`"
echo "ran the following:"
echo "$CMD"
echo "$OUT"
echo
} >> "$dump_file"
if [ -n "$OUT_TIMEOUT" ]; then
echo "connection to $server timed out after $timeout_in_seconds seconds"
fi
if [ -n "$OUT_CURL_OLD" ]; then
echo "Your version of curl is too old, and can't test for TLS $tls support"
return;
fi
if [ -n "$OUT_TLS" ]; then
echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
else
if [ -n "$OUT_TLS_HANDSHAKE" ]; then
echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
else
echo "TLS $tlsDisplay is supported on $server"
fi
fi
}
testTLS 1.2
testTLS 1.1
testTLS 1.0
您可以尝试这样的操作:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.google.com
这可能是因为您的 openssl 很旧,没有 TLSv1.2 更新。请考虑升级您的 openssl 然后它应该工作。
我已经在我的 Mac 上测试过了,效果很好。同样,现在市场上有 TLSv1.3,但我还没有将我的 Openssl 升级到最新版本,所以,-tls1_3 我得到了同样的错误
我用谷歌搜索并找到
命令:
openssl s_client -connect google.com:443 -tls1_2
由于 "unknown option -tls1_2" 错误,无法在 MacOS 上运行。
您可以使用 curl 来测试它。我相信 curl 是通过命令行工具安装在 OS X 上的。
$ curl https://google.com/ --tlsv1.2 --verbose
* Trying 46.134.192.54...
* Connected to google.com (46.134.192.54) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.43.0
> Accept: */*
感谢此页面上的
$ tls_test.sh tls1test.salesforce.com
TLS1.2 is supported on tls1test.salesforce.com
TLS1.1 is supported on tls1test.salesforce.com
### TLS1.0 is NOT SUPPORTED on tls1test.salesforce.com ###
tls_test.sh
#!/usr/bin/env bash
die()
{
echo "$*"
exit;
}
# Get server to test, and timeout in seconds
server=
timeout_in_seconds=${2:-20}
case "$timeout_in_seconds" in
''|*[!0-9]*) die "Your timeout value should be an integer value, not ''"
esac
# where to log full responses to
dump_file=${3:-/tmp/__dump_tls_info}
rm -f "$dump_file"
show_help()
{
me=$(basename "[=11=]")
info=$(cat <<EOF
Shows which versions of TLS a server supports.
usage: $me SERVER {TIMEOUT_IN_SECONDS} {DUMP_FILE}
e.g. The following are public test servers that demonstrate
support for various TLS versions.
$ $me tls1test.salesforce.com # validate TLS 1.0 is blocked
$ $me tls-v1-0.badssl.com:1010 # validate only TLS 1.0 enabled
$ $me tls-v1-1.badssl.com:1011 # validate only TLS 1.1 enabled
$ $me smtp.gmail.com:465 # validate TLS 1.0+ are all supported
Note: default timeout in seconds is 20, and it dumps full output to $dump_file
EOF
)
echo "$info"
exit
}
if [ -z "$server" ]; then
show_help
fi
testTLS()
{
tls=""
tlsDisplay=${2:-}
if [ -n "$tls" ]; then
tls_cmd="--tlsv"
else
tls_cmd=""
fi
CMD="curl --max-time "$timeout_in_seconds" -v -I --silent "$tls_cmd" "https://$server/""
OUT=$($CMD 2>&1)
CURL_VERSION=$(curl --version)
OUT_CURL_OLD=$(echo "$OUT" | grep "option --tls" | grep "unknown")
OUT_TLS=$(echo "$OUT" | grep "topped the pause stream")
OUT_TLS_HANDSHAKE=$(echo "$OUT" | grep "handshake fail")
OUT_TIMEOUT=$(echo "$OUT" | grep "onnection timed out after")
{
echo
echo "#######################################"
echo "testing TLS$tls is supported on $server"
echo "curl version: $CURL_VERSION"
echo "curl location: `which curl`"
echo "os version: `sw_vers`"
echo "ran the following:"
echo "$CMD"
echo "$OUT"
echo
} >> "$dump_file"
if [ -n "$OUT_TIMEOUT" ]; then
echo "connection to $server timed out after $timeout_in_seconds seconds"
fi
if [ -n "$OUT_CURL_OLD" ]; then
echo "Your version of curl is too old, and can't test for TLS $tls support"
return;
fi
if [ -n "$OUT_TLS" ]; then
echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
else
if [ -n "$OUT_TLS_HANDSHAKE" ]; then
echo "### TLS $tlsDisplay is NOT SUPPORTED on $server ###"
else
echo "TLS $tlsDisplay is supported on $server"
fi
fi
}
testTLS 1.2
testTLS 1.1
testTLS 1.0
您可以尝试这样的操作:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.google.com
这可能是因为您的 openssl 很旧,没有 TLSv1.2 更新。请考虑升级您的 openssl 然后它应该工作。
我已经在我的 Mac 上测试过了,效果很好。同样,现在市场上有 TLSv1.3,但我还没有将我的 Openssl 升级到最新版本,所以,-tls1_3 我得到了同样的错误