Check My Client For Tls 1.2 Mac

Active9 months ago

If Configuration Manager client does not communicate with site role endpoints (such as distribution points, management points, and state migration points), verify that Windows has been updated to support TLS 1.2 for client-server communication by using WinHTTP.

  1. Thanks to this great answer on this page, I wrote this simple script to test a server for TLS 1.0, 1.1, and 1.2 support. This should work on any linux/unix flavor, I suspect, and definitely works on Mac, as that's what I'm using to test it.
  2. Since the server I am accessing supports TLS 1.0 - 1.2, I am expecting Chrome browser connects to the server via TLS1.1 that is the most secure option that Chrome currently have with my configuration.
  3. Verify your SSL, TLS & Ciphers implementation. SSL verification is necessary to ensure your certificate parameters are displayed as expected. There are multiple ways to check SSL certificate, however testing through online tool provides you much useful information listed below. This also helps you in finding any issues in advance instead of user complaining about them.

Is there a publicly accessible website which will only accept TLS 1.2 connections so that I can test to see if my application can successfully, securely connect to it?

Background:

I have an old VB.NET application running on Windows Server 2008 R2 (64-bit).

It has code like this:

From what I've read, ServerHTMLHTTP uses SChannel and you can't control the protocols used at the application level.

Windows Server 2008 R2 should support TLS 1.2, so I suspect the app will just work, but I'd like to verify by connecting to a site which only accepts TLS 1.2.

Community
Riley MajorRiley Major
3191 gold badge2 silver badges10 bronze badges

4 Answers

SSLLabs

1.2

As @schroeder pointed out in the comments, this site assesses the client capabilities and reports on them in the response:

Disadvantages:

  • The response is designed for human consumption in a browser. It's not crystal clear whether the response requires JavaScript to give a valid response. It appears not to be required, as we were able to show different responses as between a Windows 10 machine running the app and a Windows Server 2008 R2 server running the app.
  • The site doesn't allow a POST; it requires a GET. Our app could be configured either way, but some might not.
  • The site won't require TLS 1.2 in a way which emulates the behavior of sites which do.

FancySSL

As @paj28 pointed out in the comments, this site will only work if TLS 1.2 is available:

Disadvantages:

  • It appears to be an individual's site and despite a good Google rank, it doesn't seem like a long term stable solution.
  • According to @dave_thompson_085, fancyssl.hboeck.de may not work correctly if your client doesn't send SNI and doesn't handle (or mishandles) renegotiation.

Result

Unfortunately, our app did not work seamlessly on Windows 2008 R2. Trying the FancySSL site, it got this error:

The handle is in the wrong state for the requested operation

Trying the SSLLabs site, it got these results:

  • TLS 1.2: No
  • TLS 1.1: No
  • TLS 1.0: Yes*
  • SSL 3: Yes*
  • SSL 2: No

How To Install Tls 1.2

(*) Without JavaScript, this test reliably detects only the highest supported protocol.

When we run the same app on a Windows 10 or Windows Server 2012 R2, the app doesn't encounter the error and SSLLabs reports TLS 1.2 as available.

How To Verify Tls 1.2

Another option I discovered:

Community
Riley MajorRiley Major
3191 gold badge2 silver badges10 bronze badges

The website: https://badssl.com/ supports various versions of TLS using different subdomains, so you can test lots of variations there!

This subdomain and port only supports TLSv1.2

This subdomain and port only supports TLSv1.1

This subdomain and port only supports TLSv1.0

and more. And if that domains disappears for some reason, the source to it is here on Github

Brad ParksBrad Parks

@paj28 appears to have pointed us in a good direction:

Check My Client For Tls 1.2 Mac Miller

For

openssl s_server -tls1_2

You can launch an emulated TLS server and connect to it from your client. I'm not sure what settings you would need, or what, exactly, connecting would tell you, but it is a good, lightweight, and local resource you might be able to use for your needs.

schroederschroeder
85.7k34 gold badges192 silver badges230 bronze badges

The best example is the NIST web:

www.nist.gov

Verify Tls 1.2 Is Enabled

AndrolGenhald
13.7k5 gold badges35 silver badges43 bronze badges
AzimutsAzimuts

Not the answer you're looking for? Browse other questions tagged tlswebserver or ask your own question.