Enumerate ciphers with openssl s_client
Updated at by ospiAs ways to configure available protocols and ciphers is directly proportional to the number of software, it sure is nice to verify that those pesky EXPs and eNULLs are not available to clients.
Following script enumerates IMAP ciphers with -starttls imap on localhost and lines commented out can be used on implicit SSL/TLS services like IMAPS or HTTPS.
#!/bin/bash
server="127.0.0.1:143"
ciphers="ALL"
IFS=':'
for cipher in $(openssl ciphers "$ciphers") ; do
#echo "$(echo -n ""|openssl s_client -cipher "$cipher" \
# -connect "$server" &>/dev/null && echo -n 1 || echo -n 0) $cipher"
echo "$(echo -n ""|openssl s_client -starttls imap -cipher "$cipher" \
-connect "$server" &>/dev/null && echo -n 1 || echo -n 0) $cipher"
sleep 0.1
done
Outputs something like this with RSA certs and TLSv1.2 protocol suite.
1 ECDHE-RSA-AES256-GCM-SHA384
0 ECDHE-ECDSA-AES256-GCM-SHA384
1 ECDHE-RSA-AES256-SHA384
0 ECDHE-ECDSA-AES256-SHA384
0 DHE-DSS-AES256-GCM-SHA384
1 DHE-RSA-AES256-GCM-SHA384
...
Share on Facebook
Share on Twitter