Home » Questions » Computers [ Ask a new question ]

How do I list the SSL/TLS cipher suites a particular website offers?

How do I list the SSL/TLS cipher suites a particular website offers?

How can I retrieve a list of the SSL/TLS cipher suites a particular website offers?

Asked by: Guest | Views: 67
Total answers/comments: 5
Guest [Entry]

"I wrote a bash script to test cipher suites. It gets a list of supported cipher suites from OpenSSL and tries to connect using each one. If the handshake is successful, it prints YES. If the handshake isn't successful, it prints NO, followed by the OpenSSL error text.

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher ""$cipher"" -connect $SERVER 2>&1)
if [[ ""$result"" =~ "":error:"" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ ""$result"" =~ ""Cipher is ${cipher}"" || ""$result"" =~ ""Cipher :"" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done

Here's sample output showing 3 unsupported ciphers, and 1 supported cipher:

[@linux ~]$ ./test_ciphers 192.168.1.11:443
Obtaining cipher list from OpenSSL 0.9.8k 25 Mar 2009.
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES

EDIT: Add flexibility as host and port are provided as parameter to the script"
Guest [Entry]

"Is there a tool that can test what
SSL/TLS cipher suites a particular
website offers?

Yes, you could use the online tool on SSL Labs' website to query the Public SSL Server Database.

Here is a snippet of information that it provides:

(screenshot from results of google.com)"
Guest [Entry]

"github.com/iSECPartners/sslyze

This one is Python based, works in Linux/Mac/Windows from command line."
"github.com/iSECPartners/sslyze

This one is Python based, works in Linux/Mac/Windows from command line."
Guest [Entry]

"After a little googling I found this Testing for SSL-TLS (OWASP-CM-001):

The nmap scanner, via the “–sV” scan option, is able to identify SSL services. Vulnerability Scanners, in addition to performing service discovery, may include checks against weak ciphers (for example, the Nessus scanner has the capability of checking SSL services on arbitrary ports, and will report weak ciphers).

and also: Foundstone SSL Digger is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure."
Guest [Entry]

I am using for most of the SSL tests testssl.sh (see testssl.sh / devel version @ github.com/drwetter/testssl.sh. It tests for vulnerabilities, ciphers, protocols etc.