Skip to content

Cipher suite enumeration and testing

Cipher suite enumeration and testing involves identifying the specific cryptographic algorithms and protocols supported by a server (such as those for encryption, hashing, and key exchange) and verifying their functionality.^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]

Supported Algorithms

OpenSSL implements a wide range of cryptographic standards used in these suites. These include:^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]

  • Encryption Ciphers: AES, Blowfish, Camellia, ChaCha20, Poly1305, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, TDES, GOST 28147-89, and SM4.
  • Hash Functions: MD5, MD4, MD2, SHA-1, SHA-2, SHA-3, RIPEMD-160, MDC-2, GOST R 34.11-94, BLAKE2, Whirlpool, and SM3.
  • Public Key & Exchange: RSA, DSA, ECDSA, ECDHE, Diffie-Hellman, Elliptic Curve Cryptography, X25519, Ed25519, X448, Ed448, GOST R 34.10-2001, and SM2.

Testing with OpenSSL

To enumerate the cipher suites supported by a server, the openssl s_client command can be used to connect to a specific port (typically 443 for HTTPS).^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]

[OpenSSL](<./openssl.md>) s_client -connect www.google.com:443

You can also list the cipher specifications that OpenSSL recognizes, or test a connection using a specific protocol version like TLS 1.2:^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]

[OpenSSL](<./openssl.md>) ciphers -s -psk -srp
[OpenSSL](<./openssl.md>) s_client -connect www.google.com:443 -tls1_2 -msg

Testing with cURL

The curl utility allows for verbose testing of HTTPS connections.^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md] This includes restricting the maximum TLS version and specifying a single Cipher suite to test if the server supports that specific combination:^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]

curl -s -S -v --tls-max 1.2 --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://www.google.com

To view standard names for cipher suites, you can use the following command:^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]

[OpenSSL](<./openssl.md>) ciphers -stdname

Sources

^[400-devops-02-os-and-linux-basics-ssl-openssl-openssl.md]