Get OpenSSL (a list of 3rd party sites here; I went with this one). The connect to your DC thus:
1 |
openssl s_client -connect <Domain_Controller>:636 |
To test a specific version add a switch like -tls1_2
or -tls1_1
. If it fails you get an error like this (this was me asking for TLS1.1):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
CONNECTED(000002F4) 51720:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:.\ssl\s3_pkt.c:1498:SSL alert number 70 51720:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:.\ssl\s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1603452101 Timeout : 7200 (sec) Verify return code: 0 (ok) --- |
Hope that helps someone!
Update: Just for completeness, here are the regkeys to enable/ disable various TLS versions in Windows.