ozzi-/tlscheck.sh

## tlscheck.sh
#!/bin/bash

# tlscheck will check if a specified url supports the defined mimum tls version and higher
# this is helpful to ensure hardening (i.E. does my server support 1.2 and newer only?)
# exit codes above 9 will signalize the tls version check that failed (i.E. 11 = TLS 1.1)
# exit codes below 6 will signalize wrong syntax
# exit code 6 means could not connect at all
# ----------------------------------------------------------------------------------------
# https://github.com/ozzi-

if [ $# -ne 2 ]; then
  echo "Provide a command line argument for the URL you want to check (i.E. google.ch) and the minimum version (1.0 , 1.1 , 1.2 , 1.3)"
  exit 4
fi
url=$1
minVer=$2

versions=("1.0","1.1","1.2","1.3")
if [[ " ${versions[*]} " == *"$minVer"* ]]; then
  echo "Checking if $url supports TLS $minVer or higher"
  echo ""
else
  echo "Second parameter defines minimum tls version valid values are: 1.0, 1.1, 1.2 or 1.3"
  exit 5
fi

temp=$(openssl s_client -connect $url:443 2>&1 <<< 'Q')
if [ $? -ne 0 ]; then
  echo "Could not connect to $url"
  exit 6
fi

function evaluate {
  curVerL=$(echo "${ver:2:3}")
  minVerL=$(echo "${minVer:2:3}")
  res=$(echo $temp | grep "alert protocol version")
  # failed
  if [ $? -eq 0 ]; then
    if [ $curVerL -ge $minVerL ]; then
      echo "NOK TLS $ver is not supported although it is required by minimum version set"
      exit $(($curVerL+10))
    else
      echo "OK TLS $ver is not allowed"
    fi
  # succeeded
  else
    if [ $curVerL -ge $minVerL ]; then
      echo "OK TLS $ver connection succeeded"
    else
      echo "NOK TLS $ver connection succeeded although it is below minimum version set"
      exit $(($curVerlL+10))
    fi
  fi
}

ver="1.0"
temp=$(openssl s_client -connect $url:443 -tls1 -status 2>&1 <<< 'Q')
evaluate

ver="1.1"
temp=$(openssl s_client -connect $url:443 -tls1_1 -status 2>&1 <<< 'Q')
evaluate

ver="1.2"
temp=$(openssl s_client -connect $url:443 -tls1_2 -status 2>&1 <<< 'Q')
evaluate

ver="1.3"
temp=$(openssl s_client -connect $url:443 -tls1_3 -status 2>&1 <<< 'Q')
evaluate
	#!/bin/bash

	# tlscheck will check if a specified url supports the defined mimum tls version and higher
	# this is helpful to ensure hardening (i.E. does my server support 1.2 and newer only?)
	# exit codes above 9 will signalize the tls version check that failed (i.E. 11 = TLS 1.1)
	# exit codes below 6 will signalize wrong syntax
	# exit code 6 means could not connect at all
	# ----------------------------------------------------------------------------------------
	# https://github.com/ozzi-

	if [ $# -ne 2 ]; then
	echo "Provide a command line argument for the URL you want to check (i.E. google.ch) and the minimum version (1.0 , 1.1 , 1.2 , 1.3)"
	exit 4
	fi
	url=$1
	minVer=$2

	versions=("1.0","1.1","1.2","1.3")
	if [[ " ${versions[]} " == "$minVer"* ]]; then
	echo "Checking if $url supports TLS $minVer or higher"
	echo ""
	else
	echo "Second parameter defines minimum tls version valid values are: 1.0, 1.1, 1.2 or 1.3"
	exit 5
	fi

	temp=$(openssl s_client -connect $url:443 2>&1 <<< 'Q')
	if [ $? -ne 0 ]; then
	echo "Could not connect to $url"
	exit 6
	fi

	function evaluate {
	curVerL=$(echo "${ver:2:3}")
	minVerL=$(echo "${minVer:2:3}")
	res=$(echo $temp \| grep "alert protocol version")
	# failed
	if [ $? -eq 0 ]; then
	if [ $curVerL -ge $minVerL ]; then
	echo "NOK TLS $ver is not supported although it is required by minimum version set"
	exit $(($curVerL+10))
	else
	echo "OK TLS $ver is not allowed"
	fi
	# succeeded
	else
	if [ $curVerL -ge $minVerL ]; then
	echo "OK TLS $ver connection succeeded"
	else
	echo "NOK TLS $ver connection succeeded although it is below minimum version set"
	exit $(($curVerlL+10))
	fi
	fi
	}

	ver="1.0"
	temp=$(openssl s_client -connect $url:443 -tls1 -status 2>&1 <<< 'Q')
	evaluate

	ver="1.1"
	temp=$(openssl s_client -connect $url:443 -tls1_1 -status 2>&1 <<< 'Q')
	evaluate

	ver="1.2"
	temp=$(openssl s_client -connect $url:443 -tls1_2 -status 2>&1 <<< 'Q')
	evaluate

	ver="1.3"
	temp=$(openssl s_client -connect $url:443 -tls1_3 -status 2>&1 <<< 'Q')
	evaluate