I'm on CentOS 5.9.

I'd like to determine from the linux shell if a remote web server specifically supports TLS 1.2 (as opposed to TLS 1.0). Is there an easy way to check for that?

I'm not seeing a related option on openssl but perhaps I'm overlooking something.

2 Answers 2


You should use openssl s_client, and the option you are looking for is -tls1_2.

An example command would be:

openssl s_client -connect google.com:443 -tls1_2

If you get the certificate chain and the handshake you know the system in question supports TLS 1.2. If you see don't see the certificate chain, and something similar to "handshake error" you know it does not support TLS 1.2. You can also test for TLS 1 or TLS 1.1 with -tls1 or tls1_1 respectively.

  • 8
    And keep in mind that you'll have to use a version of OpenSSL which does TLS 1.2, and that means CentOS 5 is right out. Commented Oct 21, 2014 at 20:49
  • 14
    Does not work on Mac OS X 10.11
    – Quanlong
    Commented Aug 21, 2015 at 7:33
  • Michael Hampton, only OOB setups: [me@server][~] cat /etc/redhat-release CentOS release 5.11 (Final) [me@server][~] openssl version OpenSSL 1.0.2d 9 Jul 2015 ;) Commented Aug 25, 2015 at 13:39
  • 12
    @Quanlong homebrew has openssl v1.0.2. Install it then run it with /usr/local/Cellar/openssl/1.0.2d_1/bin/openssl s_client -connect google.com:443 -tls1_2
    – Xiao
    Commented Aug 28, 2015 at 2:46
  • 6
    It works fine after brew upgrade openssl
    – Quanlong
    Commented Aug 28, 2015 at 5:26

Also you can list all supported ciphers using:

nmap --script ssl-enum-ciphers -p 443 www.example.com

And then check the output. If it's supported you'll get something like this:

|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
  • 5
    Got a really hard time trying to make this third party script work. Wrote mine for people interested : here. Commented Nov 1, 2014 at 23:46
  • 4
    It worked great for me.
    – colefner
    Commented Jun 14, 2017 at 15:51
  • 4
    As on date, nmap doesn’t support TLS1.3, so this command will not help if you want to check for TLS1.3 availability on the web server side. Otherwise for upto version 1.2 , this solution is working fine. Commented May 1, 2020 at 15:11
  • I'm not an expert with nmap, but I think you should probably use -Pn, in case the server isn't pingable.
    – mwfearnley
    Commented Aug 31, 2022 at 14:43
  • 1
    nmap now supports TLSv1.3 github.com/nmap/nmap/issues/1348. validated on version 7.94
    – Titou
    Commented Nov 14, 2023 at 18:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .