要使用OpenSSL检查SSL/TLS协议版本,您可以使用以下命令:
openssl s_client -connect example.com:443 -tls1_2
将example.com替换为您要检查的服务器域名,并将443替换为相应的端口号(如果不是默认的HTTPS端口)。您可以将-tls1_2替换为其他版本,如-tls1_1、-tls1、-ssl3等,以检查服务器是否支持这些版本。
例如,要检查服务器是否支持TLS 1.2,您可以运行:
openssl s_client -connect example.com:443 -tls1_2
如果服务器支持TLS 1.2,您将看到类似于以下的输出:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
---
Certificate chain
0 s:CN = example.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3542 bytes and written 394 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
在这个例子中,您可以看到SSL handshake has read 3542 bytes and written 394 bytes这一行,它表明使用了TLS 1.2协议。如果您想检查其他版本,请将-tls1_2替换为相应的版本标志。
