Use curl to force tls version for the host
Transport layer security(TLS) is a cryptographic protocol designed for secure communication over a computer network.
The primary use of the TLS is encrypting the communication between clients and servers.
For example, A web browser such as Chrome, Edge, Safari, or Firefox connects with various websites like Google.com, Facebook.com, and others.
To establish a secure connection, the client and server negotiate the TLS version to initialize the connection.
In this particular task, our goal is to perform a comprehensive test on a specific TLS version. To achieve this, we will force the server to use that particular version of TLS, using the --tlsvx.y
and --tls-max x.y
flags. Here, x and y signify the major and minor version numbers of TLS, respectively. These flags will enable us to instruct curl
to use the exact TLS version that we want to test, ensuring that we obtain the accurate results.
Let’s see the example below
use curl to force tls 1.1
curl -vv https://google.com --tlsv1.1 --tls-max 1.1
output below show successful handshake and example response from server
$ curl -vv https://google.com --tlsv1.1 --tls-max 1.1
* Trying 142.250.196.78:443...
* Connected to google.com (142.250.196.78) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.1 (IN), TLS handshake, Certificate (11):
* TLSv1.1 (IN), TLS handshake, Server key exchange (12):
* TLSv1.1 (IN), TLS handshake, Server finished (14):
* TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.1 (OUT), TLS handshake, Finished (20):
* TLSv1.1 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.1 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.1 / ECDHE-ECDSA-AES128-SHA
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.google.com
* start date: Dec 8 06:34:56 2021 GMT
* expire date: Mar 1 06:34:55 2022 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://google.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-4OW5SOqWd286PIMYe0km5A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Wed, 01 May 2021 05:26:38 GMT
< expires: Fri, 31 May 2022 05:26:38 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact
force curl to use tls 1.1 and host doesn’t support tls 1.1
curl -vvv https://api.stripe.com --tlsv1.1 --tls-max 1.1
output below show failure handshake and example respone from server since the host only permits tls1.2+
$ curl -vvv https://api.stripe.com --tlsv1.1 --tls-max 1.1
* Trying 13.228.224.121:443...
* Connected to api.stripe.com (13.228.224.121) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* LibreSSL: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
force curl to use tls 1.1
curl -v https://google.com --tlsv1.2 --tls-max 1.2
output below show successful handshake and example output from server
$ curl -v https://google.com --tlsv1.2 --tls-max 1.2
* Trying 142.250.196.78:443...
* Connected to google.com (142.250.196.78) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-SHA
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.google.com
* start date: Dec 8 06:34:56 2021 GMT
* expire date: Mar 1 06:34:55 2022 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://google.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: google.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: google.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-Ru7bZCjzLinD9FUbGiDpPw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Wed, 01 May 2021 05:40:10 GMT
< expires: Fri, 31 May 2022 05:40:10 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact