Created
October 30, 2020 16:52
-
-
Save ozzi-/71f4c2d72e55fdfa3565bb218d11c2ad to your computer and use it in GitHub Desktop.
check supported tls versions of a server by defining a minimum allowed version
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# tlscheck will check if a specified url supports the defined mimum tls version and higher | |
# this is helpful to ensure hardening (i.E. does my server support 1.2 and newer only?) | |
# exit codes above 9 will signalize the tls version check that failed (i.E. 11 = TLS 1.1) | |
# exit codes below 6 will signalize wrong syntax | |
# exit code 6 means could not connect at all | |
# ---------------------------------------------------------------------------------------- | |
# https://github.com/ozzi- | |
if [ $# -ne 2 ]; then | |
echo "Provide a command line argument for the URL you want to check (i.E. google.ch) and the minimum version (1.0 , 1.1 , 1.2 , 1.3)" | |
exit 4 | |
fi | |
url=$1 | |
minVer=$2 | |
versions=("1.0","1.1","1.2","1.3") | |
if [[ " ${versions[*]} " == *"$minVer"* ]]; then | |
echo "Checking if $url supports TLS $minVer or higher" | |
echo "" | |
else | |
echo "Second parameter defines minimum tls version valid values are: 1.0, 1.1, 1.2 or 1.3" | |
exit 5 | |
fi | |
temp=$(openssl s_client -connect $url:443 2>&1 <<< 'Q') | |
if [ $? -ne 0 ]; then | |
echo "Could not connect to $url" | |
exit 6 | |
fi | |
function evaluate { | |
curVerL=$(echo "${ver:2:3}") | |
minVerL=$(echo "${minVer:2:3}") | |
res=$(echo $temp | grep "alert protocol version") | |
# failed | |
if [ $? -eq 0 ]; then | |
if [ $curVerL -ge $minVerL ]; then | |
echo "NOK TLS $ver is not supported although it is required by minimum version set" | |
exit $(($curVerL+10)) | |
else | |
echo "OK TLS $ver is not allowed" | |
fi | |
# succeeded | |
else | |
if [ $curVerL -ge $minVerL ]; then | |
echo "OK TLS $ver connection succeeded" | |
else | |
echo "NOK TLS $ver connection succeeded although it is below minimum version set" | |
exit $(($curVerlL+10)) | |
fi | |
fi | |
} | |
ver="1.0" | |
temp=$(openssl s_client -connect $url:443 -tls1 -status 2>&1 <<< 'Q') | |
evaluate | |
ver="1.1" | |
temp=$(openssl s_client -connect $url:443 -tls1_1 -status 2>&1 <<< 'Q') | |
evaluate | |
ver="1.2" | |
temp=$(openssl s_client -connect $url:443 -tls1_2 -status 2>&1 <<< 'Q') | |
evaluate | |
ver="1.3" | |
temp=$(openssl s_client -connect $url:443 -tls1_3 -status 2>&1 <<< 'Q') | |
evaluate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment