Enumerate ciphers with openssl s_client

Updated at by

As ways to configure available protocols and ciphers is directly proportional to the number of software, it sure is nice to verify that those pesky EXPs and eNULLs are not available to clients.

Following script enumerates IMAP ciphers with -starttls imap on localhost and lines commented out can be used on implicit SSL/TLS services like IMAPS or HTTPS.

#!/bin/bash
server="127.0.0.1:143"
ciphers="ALL"

IFS=':'
for cipher in $(openssl ciphers "$ciphers") ; do
    #echo "$(echo -n ""|openssl s_client -cipher "$cipher" \
    #    -connect "$server" &>/dev/null && echo -n 1 || echo -n 0) $cipher"
    echo "$(echo -n ""|openssl s_client -starttls imap -cipher "$cipher" \
        -connect "$server" &>/dev/null && echo -n 1 || echo -n 0) $cipher"
    sleep 0.1
done

Outputs something like this with RSA certs and TLSv1.2 protocol suite.

1 ECDHE-RSA-AES256-GCM-SHA384
0 ECDHE-ECDSA-AES256-GCM-SHA384
1 ECDHE-RSA-AES256-SHA384
0 ECDHE-ECDSA-AES256-SHA384
0 DHE-DSS-AES256-GCM-SHA384
1 DHE-RSA-AES256-GCM-SHA384
...

Leave a comment