Ever need to set your web server a specific protocol version of TLS for web servers and need a quick way to test that out to confirm? Let’s check out how to use curl to go just that.
This code here uses curl with the parameters --tlsv1.1 --tls-max 1.1, which will force the max TLS protocol version to 1.1. Using the --verbose parameter gives you the ability to see the TLS handshake and get the output sent to standard out.
The webserver here has a policy that allows only TLS version 1.2+. So in the output, when forcing curl to use TLS version 1.1, the SSL_connect fails since the webserver only permits 1.2+
curl https://www.notarealurl.com --verbose --tlsv1.1 --tls-max 1.1* Trying 52.173.202.109...* TCP_NODELAY set* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:* CAfile: /etc/ssl/cert.pem CApath: none* TLSv1.1 (OUT), TLS handshake, Client hello (1):* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 * Closing connection 0caliases: - /blog(35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.notarealurl.com:443 Now, let’s tell curl to use TLS protocol version of 1.2 with the parameters --tlsv1.2 --tls-max 1.2 and see if we can successfully access the webserver. The output below shows a successful TLS 1.2 TLS handshake and some output from the webserver.
curl https://www.notarealurl.com --verbose --tlsv1.2 --tls-max 1.2* Trying 52.173.202.109...* TCP_NODELAY set* Connected to www.notarealurl.com (1.2.3.4) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* successfully set certificate verify locations:* CAfile: /etc/ssl/cert.pem CApath: none* TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384* ALPN, server did not agree to a protocol* Server certificate:* subject: C=US; ST=ILLINOIS; L=CHICAGO; O=IT; CN=www.notarealurl.com* start date: May 14 00:00:00 2020 GMT* expire date: Jul 6 12:00:00 2022 GMT* subjectAltName: host "www.notarealurl.com" matched cert's "www.notarealurl.com"* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA* SSL certificate verify ok.> GET / HTTP/1.1> Host: www.notarealurl.com> User-Agent: curl/7.64.1> Accept: */*> < HTTP/1.1 301 Moved Permanently< Content-Type: text/html; charset=UTF-8< Location: https://notarealurl.com/< Server: Microsoft-IIS/10.0< Set-Cookie: ApplicationGatewayAffinity=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com< Set-Cookie: ApplicationGatewayAffinityCORS=ca74a2f7c1dea41a8e5010ecf6deda4f944f5539661e08399d8fae0062592401;Path=/;Domain=www.notarealurl.com;SameSite=None;Secure< Date: Thu, 20 May 2021 13:48:14 GMT< Content-Length: 148< <head><title>Document Moved</title></head>* Connection #0 to host www.notarealurl.com left intact<body><h1>Object Moved</h1>This document may be found <a HREF="https://notarealurl.com/">here</a></body>* Closing connection 0