Determine SSL cipher suites supported by the web-server using OpenSSL.
Shell script
Bourne Again SHell shell script.
#!/usr/bin/env bash
# Determine SSL cipher suites supported by the web-server
# exit immediately on non-zero status
#set -e
# display usage
usage() {
echo "Usage: $(basename $0) -s server [-p port] [-c cipher] [-t tls_version] [-d] "
}
# get openssl param for specific TLS version
get_tls_param() {
case "$1" in
"SSLv3") protocol_version_param="-tls1_3" ;; # override sslv3
"TLSv1") protocol_version_param="-tls1_1" ;;
"TLSv1.2") protocol_version_param="-tls1_2" ;;
"TLSv1.3") protocol_version_param="-tls1_3" ;;
*) exit 1
esac
echo $protocol_version_param
}
# initial values
server_option=""
port_option="443"
debug_option=0
cipher_option=""
tls_option=""
# parse parameters
while getopts ":s:p:c:t:d" option; do
case "${option}" in
"s") server_option="$OPTARG" ;;
"c") cipher_option="$OPTARG" ;;
"t") tls_option="$OPTARG" ;;
"d") debug_option="1" ;;
"?") usage; exit 1 ;;
esac
done
# ensure that server is provided
if [ -z "${server_option}" ]; then
usage
exit 1
fi
if [ -n "$cipher_option" ]; then\
cipher_param="-ciphersuites $cipher_option NULL"
else
cipher_param=""
fi
while read cipher_line; do
if [ -z "$cipher_line" ]; then
echo "Error: cipher not reconized"
continue
fi
if [ -z "$tls_option" ]; then
protocol_version_param="$(get_tls_param "$protocol_version")"
protocol_version=$(echo $cipher_line | awk '{print $4}')
else
protocol_version_param="$(get_tls_param "$tls_option")"
protocol_version="$tls_option (parameter)"
fi
standard_cipher_name=$(echo $cipher_line | awk '{print $1}')
cipher_name=$(echo $cipher_line | awk '{print $3}')
key_exchange=$(echo $cipher_line | awk '{split($5,m,"=");print m[2]}')
authentication=$(echo $cipher_line | awk '{split($6,m,"=");print m[2]}')
symmetric_encryption_method=$(echo $cipher_line | awk '{split($7,m,"=");print m[2]}')
message_authentication_method=$(echo $cipher_line | awk '{split($8,m,"=");print m[2]}')
echo "${standard_cipher_name}"
if [ "${debug_option}" -eq "1" ]; then
echo " Cipher name: ${cipher_name}"
if [ "$protocol_version" == "SSLv3" ]; then
echo " Protocol version: TLSv1.3 (instead of $protocol_version)"
else
echo " Protocol version: $protocol_version"
fi
echo " Key exchange: ${key_exchange}"
echo " Authentication: ${authentication}"
echo " Symmetric encryption method: ${symmetric_encryption_method}"
echo " Message authentication method: ${message_authentication_method}"
fi
error_message="$(echo -n | openssl s_client $protocol_version_param -cipher $cipher_name -servername $server_option -connect $server_option:$port_option 2>&1 | grep :error:)"
if [ -z "$error_message" ]; then
echo " Status: connected"
else
echo " Status: NOT connected"
echo " Error: $(echo $error_message | awk -F: '{print $4 " - " $5 " - " $6}')"
fi
done <<< $(openssl ciphers -s -stdname $cipher_param 2>/dev/null)
Usage
Check specific server, cipher, protocol version, and include debug information.
$ check-ssl-ciphers.sh -s example.org -c TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -t TLSv1_2 -d
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Cipher name: ECDHE-ECDSA-AES128-GCM-SHA256 Protocol version: TLSv1_2 (parameter) Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AESGCM(128) Message authentication method: AEAD Status: connected
Check the non-existing server.
$ check-ssl-ciphers.sh -s nonexisting.example.org -c TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -t TLSv1_2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Status: NOT connected Error: BIO routines - BIO_lookup_ex - system lib
Check specific server using default cipher suites and include debug information.
$ check-ssl-ciphers.sh -s example.org -d
TLS_AES_256_GCM_SHA384 Cipher name: TLS_AES_256_GCM_SHA384 Protocol version: TLSv1.3 Key exchange: any Authentication: any Symmetric encryption method: AESGCM(256) Message authentication method: AEAD Status: NOT connected Error: SSL routines - SSL_CTX_set_cipher_list - no cipher match TLS_CHACHA20_POLY1305_SHA256 Cipher name: TLS_CHACHA20_POLY1305_SHA256 Protocol version: TLSv1.3 Key exchange: any Authentication: any Symmetric encryption method: CHACHA20/POLY1305(256) Message authentication method: AEAD Status: NOT connected Error: SSL routines - SSL_CTX_set_cipher_list - no cipher match TLS_AES_128_GCM_SHA256 Cipher name: TLS_AES_128_GCM_SHA256 Protocol version: TLSv1.3 Key exchange: any Authentication: any Symmetric encryption method: AESGCM(128) Message authentication method: AEAD Status: NOT connected Error: SSL routines - SSL_CTX_set_cipher_list - no cipher match TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Cipher name: ECDHE-ECDSA-AES256-GCM-SHA384 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AESGCM(256) Message authentication method: AEAD Status: connected TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Cipher name: ECDHE-RSA-AES256-GCM-SHA384 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: RSA Symmetric encryption method: AESGCM(256) Message authentication method: AEAD Status: connected TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Cipher name: DHE-RSA-AES256-GCM-SHA384 Protocol version: TLSv1.2 Key exchange: DH Authentication: RSA Symmetric encryption method: AESGCM(256) Message authentication method: AEAD Status: connected TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Cipher name: ECDHE-ECDSA-CHACHA20-POLY1305 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: CHACHA20/POLY1305(256) Message authentication method: AEAD Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Cipher name: ECDHE-RSA-CHACHA20-POLY1305 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: RSA Symmetric encryption method: CHACHA20/POLY1305(256) Message authentication method: AEAD Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Cipher name: DHE-RSA-CHACHA20-POLY1305 Protocol version: TLSv1.2 Key exchange: DH Authentication: RSA Symmetric encryption method: CHACHA20/POLY1305(256) Message authentication method: AEAD Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Cipher name: ECDHE-ECDSA-AES128-GCM-SHA256 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AESGCM(128) Message authentication method: AEAD Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Cipher name: ECDHE-RSA-AES128-GCM-SHA256 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: RSA Symmetric encryption method: AESGCM(128) Message authentication method: AEAD Status: connected TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Cipher name: DHE-RSA-AES128-GCM-SHA256 Protocol version: TLSv1.2 Key exchange: DH Authentication: RSA Symmetric encryption method: AESGCM(128) Message authentication method: AEAD Status: connected TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Cipher name: ECDHE-ECDSA-AES256-SHA384 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AES(256) Message authentication method: SHA384 Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Cipher name: ECDHE-RSA-AES256-SHA384 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: RSA Symmetric encryption method: AES(256) Message authentication method: SHA384 Status: connected TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Cipher name: DHE-RSA-AES256-SHA256 Protocol version: TLSv1.2 Key exchange: DH Authentication: RSA Symmetric encryption method: AES(256) Message authentication method: SHA256 Status: connected TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Cipher name: ECDHE-ECDSA-AES128-SHA256 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AES(128) Message authentication method: SHA256 Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher name: ECDHE-RSA-AES128-SHA256 Protocol version: TLSv1.2 Key exchange: ECDH Authentication: RSA Symmetric encryption method: AES(128) Message authentication method: SHA256 Status: connected TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Cipher name: DHE-RSA-AES128-SHA256 Protocol version: TLSv1.2 Key exchange: DH Authentication: RSA Symmetric encryption method: AES(128) Message authentication method: SHA256 Status: connected TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Cipher name: ECDHE-ECDSA-AES256-SHA Protocol version: TLSv1 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AES(256) Message authentication method: SHA1 Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Cipher name: ECDHE-RSA-AES256-SHA Protocol version: TLSv1 Key exchange: ECDH Authentication: RSA Symmetric encryption method: AES(256) Message authentication method: SHA1 Status: connected TLS_DHE_RSA_WITH_AES_256_CBC_SHA Cipher name: DHE-RSA-AES256-SHA Protocol version: TLSv1.3 (instead of SSLv3) Key exchange: DH Authentication: RSA Symmetric encryption method: AES(256) Message authentication method: SHA1 Status: connected TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Cipher name: ECDHE-ECDSA-AES128-SHA Protocol version: TLSv1 Key exchange: ECDH Authentication: ECDSA Symmetric encryption method: AES(128) Message authentication method: SHA1 Status: connected TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Cipher name: ECDHE-RSA-AES128-SHA Protocol version: TLSv1 Key exchange: ECDH Authentication: RSA Symmetric encryption method: AES(128) Message authentication method: SHA1 Status: connected TLS_DHE_RSA_WITH_AES_128_CBC_SHA Cipher name: DHE-RSA-AES128-SHA Protocol version: TLSv1.3 (instead of SSLv3) Key exchange: DH Authentication: RSA Symmetric encryption method: AES(128) Message authentication method: SHA1 Status: connected TLS_RSA_WITH_AES_256_GCM_SHA384 Cipher name: AES256-GCM-SHA384 Protocol version: TLSv1.2 Key exchange: RSA Authentication: RSA Symmetric encryption method: AESGCM(256) Message authentication method: AEAD Status: connected TLS_RSA_WITH_AES_128_GCM_SHA256 Cipher name: AES128-GCM-SHA256 Protocol version: TLSv1.2 Key exchange: RSA Authentication: RSA Symmetric encryption method: AESGCM(128) Message authentication method: AEAD Status: connected TLS_RSA_WITH_AES_256_CBC_SHA256 Cipher name: AES256-SHA256 Protocol version: TLSv1.2 Key exchange: RSA Authentication: RSA Symmetric encryption method: AES(256) Message authentication method: SHA256 Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_RSA_WITH_AES_128_CBC_SHA256 Cipher name: AES128-SHA256 Protocol version: TLSv1.2 Key exchange: RSA Authentication: RSA Symmetric encryption method: AES(128) Message authentication method: SHA256 Status: NOT connected Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure TLS_RSA_WITH_AES_256_CBC_SHA Cipher name: AES256-SHA Protocol version: TLSv1.3 (instead of SSLv3) Key exchange: RSA Authentication: RSA Symmetric encryption method: AES(256) Message authentication method: SHA1 Status: connected TLS_RSA_WITH_AES_128_CBC_SHA Cipher name: AES128-SHA Protocol version: TLSv1.3 (instead of SSLv3) Key exchange: RSA Authentication: RSA Symmetric encryption method: AES(128) Message authentication method: SHA1 Status: connected
This is a simple shell script just to illustrate the idea.