How to pass cipher list to OpenSSL s_client
As Steffen Ullrich has mentioned, you can pass a list of ciphers to the -cipher
option of s_client
. This is not a single item, but a specification and can also be used for the nginx ssl_ciphers
option, or the Apache SSLCipherSuite
option.
You can pass multiple ciphers using a space, comma or colon separator. Example:
openssl s_client -cipher ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384 \
-connect example.com:443
The above list specifies two specific ciphers. A group of ciphers can also be passed. Here is an example of a cipher list specification that requires authenticated empheral ECDH key agreement (ECDH), RSA for authentication and only cipher suites that are considered of "high" encryption:
openssl s_client -cipher ECDH+aRSA+HIGH -connect example.com:443
What does this expand to? The openssl ciphers
command can be used for this purpose:
$ openssl ciphers ECDH+aRSA+HIGH
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA
or more verbosely:
$ openssl ciphers -v ECDH+aRSA+HIGH
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
For more information, read the ciphers
manual page.
While the documentation of OpenSSL lacks a lot, this part is actually well documented. From the man page of s_client:
-cipher cipherlist
this allows the cipher list sent by the client to be modified. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the ciphers command for more information.
And in the mentioned documentation for ciphers you will actually find lots of details about the format of the cipher list, the cipher strings and the cipher suite names. In fact the documentation is so extensive that it is much better to read it there than to include it in this answer.
It has exactly the same syntax, as eg. SSLCipherSuite
configuration setting in Apache, or many similar configuration switches. Example list:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Note the important characters:
:
+
!