What website accepts only TLS 1.2 so I can verify client capability?
The website: https://badssl.com/ supports various versions of TLS using different subdomains, so you can test lots of variations there!
This subdomain and port only supports TLSv1.2
https://tls-v1-2.badssl.com:1012/
This subdomain and port only supports TLSv1.1
https://tls-v1-1.badssl.com:1011/
This subdomain and port only supports TLSv1.0
https://tls-v1-0.badssl.com:1010/
and more. And if that domains disappears for some reason, the source to it is here on Github
SSLLabs
As @schroeder pointed out in the comments, this site assesses the client capabilities and reports on them in the response:
https://www.ssllabs.com/ssltest/viewMyClient.html
Disadvantages:
- The response is designed for human consumption in a browser. It's not crystal clear whether the response requires JavaScript to give a valid response. It appears not to be required, as we were able to show different responses as between a Windows 10 machine running the app and a Windows Server 2008 R2 server running the app.
- The site doesn't allow a POST; it requires a GET. Our app could be configured either way, but some might not.
- The site won't require TLS 1.2 in a way which emulates the behavior of sites which do.
FancySSL
As @paj28 pointed out in the comments, this site will only work if TLS 1.2 is available:
https://fancyssl.hboeck.de/
Disadvantages:
- It appears to be an individual's site and despite a good Google rank, it doesn't seem like a long term stable solution.
- According to @dave_thompson_085, fancyssl.hboeck.de may not work correctly if your client doesn't send SNI and doesn't handle (or mishandles) renegotiation.
Result
Unfortunately, our app did not work seamlessly on Windows 2008 R2. Trying the FancySSL site, it got this error:
The handle is in the wrong state for the requested operation
Trying the SSLLabs site, it got these results:
- TLS 1.2: No
- TLS 1.1: No
- TLS 1.0: Yes*
- SSL 3: Yes*
- SSL 2: No
(*) Without JavaScript, this test reliably detects only the highest supported protocol.
When we run the same app on a Windows 10 or Windows Server 2012 R2, the app doesn't encounter the error and SSLLabs reports TLS 1.2 as available.
Another option I discovered:
https://www.howsmyssl.com/
@paj28 appears to have pointed us in a good direction:
openssl s_server -tls1_2
You can launch an emulated TLS server and connect to it from your client. I'm not sure what settings you would need, or what, exactly, connecting would tell you, but it is a good, lightweight, and local resource you might be able to use for your needs.
https://www.openssl.org/docs/manmaster/man1/s_server.html