How to pass cipher list to OpenSSL s_client

As Steffen Ullrich has mentioned, you can pass a list of ciphers to the -cipher option of s_client. This is not a single item, but a specification and can also be used for the nginx ssl_ciphers option, or the Apache SSLCipherSuite option.

You can pass multiple ciphers using a space, comma or colon separator. Example:

openssl s_client -cipher ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384 \
    -connect example.com:443

The above list specifies two specific ciphers. A group of ciphers can also be passed. Here is an example of a cipher list specification that requires authenticated empheral ECDH key agreement (ECDH), RSA for authentication and only cipher suites that are considered of "high" encryption:

openssl s_client -cipher ECDH+aRSA+HIGH -connect example.com:443

What does this expand to? The openssl ciphers command can be used for this purpose:

$ openssl ciphers ECDH+aRSA+HIGH
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA

or more verbosely:

$ openssl ciphers -v ECDH+aRSA+HIGH
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1

For more information, read the ciphers manual page.


While the documentation of OpenSSL lacks a lot, this part is actually well documented. From the man page of s_client:

-cipher cipherlist

this allows the cipher list sent by the client to be modified. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the ciphers command for more information.

And in the mentioned documentation for ciphers you will actually find lots of details about the format of the cipher list, the cipher strings and the cipher suite names. In fact the documentation is so extensive that it is much better to read it there than to include it in this answer.


It has exactly the same syntax, as eg. SSLCipherSuite configuration setting in Apache, or many similar configuration switches. Example list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

Note the important characters:

:
+
!