OpenSSL notes

This note was created on 2023-11-17
This note was last edited on 2024-04-02

=== Check if TLS version is supported by server's certificate ===
$ openssl s_client -connect www.example.com:443 -tls1_3
$ openssl s_client -connect www.example.com:443 -tls1_2
$ openssl s_client -connect www.example.com:443 -tls1_1
$ openssl s_client -connect www.example.com:443 -tls1

=== List all supported TLS versions using NMAP ===
$ nmap --script ssl-enum-ciphers -p 443 www.example.com

=== Get certificate from server ===
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address):
$ openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null

If the remote server is NOT using SNI:
$ openssl s_client -showcerts -connect www.example.com:443 </dev/null