Report this

What is the reason for this report?

I have a droplet. How do I check my TLS version?

Posted on June 13, 2024

Hi all, this is related to not being able to connect to stripe webhooks. It may be because of my TLS version. Stripe webhooks don’t support TLS 1.3. If my version is 1.3, how do I downgrade to TLS 1.2?

Thanks in advance!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hey!

To check the TLS version that your server is using, you can use the openssl command from a terminal.

openssl s_client -connect yourdomain.com:443 -tls1_2

If it connects successfully, it indicates that TLS 1.2 is supported. You can change -tls1_2 to -tls1_3 to test for TLS 1.3.

For the configuration itself, if you find out that your server is using TLS 1.3 and you need to downgrade to TLS 1.2, you’ll need to modify the server’s configuration.

This will depend on if you are using Nginx or Apache:

For Nginx:

  1. Edit the Nginx configuration file, usually found at /etc/nginx/nginx.conf or under /etc/nginx/sites-available/. This will depend on the OS that you are using.
  2. Then in that config file modify the SSL protocol settings:
    ssl_protocols TLSv1.2;  # This disables TLSv1.3 and uses only TLSv1.2
    
  3. Then run a config test with sudo nginx -t and if you get Syntax OK, restart Nginx to apply the changes:
    sudo systemctl restart nginx
    

For Apache:

  1. Edit the Apache SSL configuration file, typically located at /etc/apache2/mods-enabled/ssl.conf.
  2. Update the SSLProtocol directive:
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
    
    This configuration enables TLS 1.2 while disabling TLS 1.3 and older versions.
  3. Run a config test with apachectl -t and if you get Syntax OK, restart Apache**:
    sudo systemctl restart apache2
    

After you’ve made these changes, you can re-run the openssl command or use an online service like SSL Labs’ SSL Test to verify the server’s SSL/TLS configuration.

Let me know how it goes!

- Bobby

Heya, @swimminglapiswalrus

You can use online tools like SSL Labs’ SSL Test or use curl from the command line:

curl -I -v --tlsv1.2 https://your_domain

This should confirm that your server is using TLS 1.2 for secure connections.

To downgrade your TLS version to 1.2 on a DigitalOcean droplet, you’ll need to adjust the configuration of your web server (e.g., Nginx or Apache) to ensure it uses TLS 1.2 instead of TLS.

The process will be slightly different if you use Apache or Nginx. If you can share more information I can give you some details on how to set this.

Hope that this helps!

There are a few ways to go about this.

Using NMAP:

nmap --script ssl-enum-ciphers -p 443 <hostname or IP>

You might need to install nmap:

apt install nmap

Using OpenSSL

openssl s_client -connect <hostname or IP>:443 -tls1

For example, if we need to check TLS 1.2 for google.com, the following command can be used:

openssl s_client -connect www.google.com:443 -tls1_2

Another way to check the TLS version is by using the following command:

openssl ciphers -v

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.