Linux – Easy Way to Check SSL Cipher Preference from Command-Line

centoslinuxSecurityssl

CentOS 5.x

I want to confirm which SSL ciphers are supported and preferred on my web server. Is there an easy way to do this WITHOUT using third-party audit software/equipment? I was hoping for something in openssl. Unfortunately, the web server is locked down so other third-party online tools like Qualys SSL Test won't work.

Best Answer

Currently, I believe the only way to do this is to manually check the different ciphers with openssl s_client.

Preferred ciphers are easy enough, just connect with no -cipher option and the cipher that's used is likely the server's preferred (as long as it's in openssl's default cipher list).

Auditing what ciphers are supported is more legwork, as you'll need to manually specify each cipher that you want to test with the -cipher option (openssl ciphers will show you your options) and see if you can connect. There is an outstanding feature request against OpenSSL to add cipher discovery for this purpose, but that's of no help at the moment.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic