Google chrome will start to warn users that their SSL connection is insecure under the following conditions:
- The cert uses the SHA1 hashing algorithm, and
- The cert expires on or after 2016-01-01 (or 2017-01-01 by different sources)
Therefore I am trying to script a method to determine if a cert is affected. Here is an example of a SHA1 cert on another server that I maintain, that expires in the 'safe' timeframe:
$ curl -v --silent https://example.com/ 2>&1 | grep "expire\|SSL connection using"
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* expire date: 2015-07-20 00:00:00 GMT
How could I have determined that this cert is SHA1 from the string DHE-RSA-AES256-GCM-SHA384? That 256 in the string makes it sure look like it is using a 256 bit algorithm, even though I know it is not because I myself did the cert request with $ openssl req -new -newkey rsa:2048 -nodes. Googling around I found this resource or supported ciphers but I don't see how I could determine the cipher strength from that document.
How could I determine the cipher strength via curl, so that I could script it?
Best Answer
You can't. This string just describes the cipher suite used for encryption and is independent from the certificate itself. You have to take a look at the certificate instead, like this: