How do I list the SSL/TLS cipher suites a particular website offers?
I wrote a bash script to test cipher suites. It gets a list of supported cipher suites from OpenSSL and tries to connect using each one. If the handshake is successful, it prints YES
. If the handshake isn't successful, it prints NO
, followed by the OpenSSL error text.
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
Here's sample output showing 3 unsupported ciphers, and 1 supported cipher:
[@linux ~]$ ./test_ciphers 192.168.1.11:443
Obtaining cipher list from OpenSSL 0.9.8k 25 Mar 2009.
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES
EDIT: Add flexibility as host and port are provided as parameter to the script
Nmap with ssl-enum-ciphers
There is no better or faster way to get a list of available ciphers from a network service. Plus, nmap will provide a strength rating of strong, weak, or unknown for each available cipher.
First, download the ssl-enum-ciphers.nse nmap script (explanation here). Then from the same directory as the script, run nmap as follows:
List ciphers supported by an HTTP server
$ nmap --script ssl-enum-ciphers -p 443 www.example.com
List ciphers supported by an IMAP server
$ nmap --script ssl-enum-ciphers -p 993 mail.example.com
Here is a snippet of output from a Dovecot IMAP server:
993/tcp open imaps
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
...
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
...
|_ least strength: weak
Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds
Is there a tool that can test what SSL/TLS cipher suites a particular website offers?
Yes, you could use the online tool on SSL Labs' website to query the Public SSL Server Database.
Here is a snippet of information that it provides:
(screenshot from results of google.com)