Centos – How to determine SSL Cipher strength

centoscentos6pci-dssssl

I have updated my ssl.conf file on my Apache2 configuration to use the following SSLCipherSuite

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!ADH

However the PCI scan seems to detect that WEAK and MEDIUM ciphers are still enabled.

However, I have restarted Apache but it has had no effect.

I'd like to be able to probe the server to see which ciphers it is allowing without having to constantly wait for the PCI scan to run each time I make a change. How can I do this?

Best Answer

indiv posted a script here that can tell you what cipher suites are accepted by a site. Should work for your purposes.

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=192.168.1.11:443
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ "Cipher is " ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

You can also use Qualys's SSL scanner. It will tell you the same info.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

How to Force or Redirect to SSL in Nginx

According to nginx pitfalls, it's slightly better to omit the unnecessary capture, using $request_uri instead. In that case, append a question mark to prevent nginx from doubling any query args.

server {
    listen      80;
    server_name signup.mysite.com;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

How to Force or Redirect to SSL in Nginx

Related Topic