How to check SSL/TLS Cipher Suites a Server Offer – Guidelines
Today in this article, we will learn how to List The SSL/TLS Cipher Suites A Website Offers or supports.
We will also see a few approaches like using various approaches like OpenSSL (if your server is not publicly accessible) or SSLLabs (If servers are publicly accessible) to verify the TLS/SSL configuration.
- As per recent security guidelines, SSL v2 protocols are insecure and must not be used.
- SSL v3 is secured but behaves insecurely when used with HTTP
- TLS v1.2 or TLS v1.3 should be used as the main protocol on your servers.
We will cover the below aspects in today’s article,
OpenSSL is an open-source CLI (command line interface) tool that is used as a Cryptography toolkit implementing the Secure Sockets Layer and Transport Layer Security network protocols, It supports cryptography functions of the crypto library from the shell.
This tool is mainly used for,
- Creation and management of private and public keys
- Creating certificates X.509 c, CSRs, and CRLs
- Encryption and Decryption with Ciphers o
- SSL/TLS Client and Server Tests etc
OpenSSL Command Pattern
openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms]
OpenSSL- How to check SSL or TLS protocol versions supported on Linux
OpenSSL comes with very handy commands which let you check the version of SSL/TLS easily
The above shows my website OR API supporting the SSL v3.0 version and TLS 1.2.
That means my server is supporting the latest SSL which is v3.0 and also TLS protocol suites which is TLS 1.2.
OpenSSL – Get a List of ALL cipher Suites
openssl ciphers -v | column -t
OpenSSL – Check SSL or TLS protocol versions supported for a Website
We can use OpenSSL s_client command to implement a generic SSL/TLS client to connect to the remote host.
openssl s_client -connect www.TheCodeBuzz.com:443
If you need to verify tls 1.2 strong ciphers list,
openssl s_client -connect www.TheCodeBuzz.com:443 -tls1_2
SSLLab – Check SSL or TLS protocol versions supported using SSLLab
If your server is publicly accessible, then one can use the online tool SSLLabs to run your set tests providing the SSL or TLS Cipher suites supported by your server.
Below discussed techniques list ciphers supported by the server.
- Please visit here https://www.ssllabs.com/ssltest/
- Enter the URL in the hostname and click Submit
- After submission, the report will be displayed for Protocol support.
Below shows the TLS1.2 as the highest version supported on the server.
- Similarly, once can view all the supported Strong and Weak Cipher on the server
As a best practice, you must disable or remove weak ciphers on the server.
You should see only good ciphers enabled. The below examples show the details for the thecodebuzz,
There are a number of online tools to quickly validate the configuration of a server.
A few examples are listed below,
Online tools – identify the SSL/TLS Cipher suites
- SSL Labs Server Test
- CryptCheck
- CypherCraft
- Hardenize
- ImmuniWeb
- Observatory by Mozilla
- Scanigma
- OWASP PurpleTeam
Offline tools – identify the SSL/TLS Cipher suites
Additionally, a Few offline tools can be used:
- O-Saft – OWASP SSL advanced forensic tool
- NMap
- CipherScan
- CryptoLyzer
- SSLScan – Fast SSL Scanner
- SSLyze
- testssl.sh – Testing any TLS/SSL encryption
- tls-scan
- OWASP PurpleTeam
Hope you find this information useful,
That’s all! Happy coding!
Does this help you fix your issue?
Do you have any better solutions or suggestions? Please sound off your comments below.
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.