Use openssl command-line utility to display TLS server extensions.
Shell script.
#!/bin/bash
# Display TLS extensions
#
# Example:
# $ get_tls_extensions.sh sleeplessbeastie.eu
# Negotiated TLS version: TLSv1.2
# TLS extensions:
# - EC point formats
# - extended master secret
# - session ticket
# - renegotiation info
#
# $ get_tls_extensions.sh debian.org
# Negotiated TLS version: TLSv1.2
# TLS extensions:
# - server name
# - EC point formats
# - session ticket
# - renegotiation info
#
# temporary file
temp_file=$(mktemp)
# delete temporary file on exit
trap "unlink $temp_file" EXIT
if [ "$#" -eq "1" ]; then
website="$1"
host "$website" >&-
if [ "$?" -eq "0" ]; then
echo -n | openssl s_client -servername "$website" -connect "$website":443 -tlsextdebug 2>/dev/null > $temp_file
tls_version=$(cat $temp_file | awk -F: '/^\ *Protocol/ {gsub(" ","",$2);print $2}')
tls_extensions=$(cat $temp_file | sed -n -e '1,/---/ {s/^TLS server extension \"\(.*\)\" (id=\(.*\)).*/\2:\1/p}' | sort | awk -F: '{print " - " $2}')
echo "Negotiated TLS version: $tls_version"
echo "TLS extensions:"
echo -e "$tls_extensions"
fi
fi
Sample usage.
$ bash get_tls_extensions.sh linux.com Negotiated TLS version: TLSv1.2 TLS extensions: - server name - EC point formats - extended master secret - session ticket - renegotiation info
$ bash get_tls_extensions.sh lwn.net Negotiated TLS version: TLSv1.2 TLS extensions: - server name - EC point formats - session ticket - renegotiation info