The openssl ciphers utility is a tool that will display, list, and check supported ciphers. It can test your environment to help you decide which cipher list is appropriate for your setup.
openssl ciphers list
To display a verbose listing of all ciphers, run the following command:
openssl ciphers -v 'ALL:eNULL'
-v is verbose and
'ALL:eNULL' is all ciphers, including null ciphers.
To list ciphers by algorithm, include the algorithm in quotes. For example, to list ciphers using the RSA algorithm, run the following command:
openssl ciphers -v 'RSA'
To list ciphers using AES, run the following command:
openssl ciphers -v 'AES'
To list ciphers by SSL or TLS protocol version, append the following onto the command in addition to the
-ssl3 for SSLv3
-tls1 for TLSv1
-tls1_1 for TLSv1.1
-tls1_2 for TLSv1.2
-tls1_3 for TLSv1.3
For example, to list all supported ciphers for TLSv1.3, run the following command:
openssl ciphers -v -s -tls1_3
openssl weak ciphers
Weak ciphers include RC4 and DES, so any cipher making use of these algorithms should be disabled. Previously, RC4 was recommended to avoid the BEAST attack. Microsoft has issued a security advisory against using RC4 as well as RFC-7465 prohibiting its use.
To disable ciphers that do not use encryption, prepend an exclamation mark before
eNull means no encryption.
openssl ciphers -v 'ALL:!eNULL'
To disable ciphers that do not use authentication, prepend an exclamation mark before
aNull means no authentication.
openssl ciphers -v 'ALL:!aNULL'
openssl ciphers check
To check the available ciphers a server will accept, you can use the s_client utility and specify the cipher. If you get a successful connection, you will know the cipher is supported. If you don’t get a connection, you will know the cipher is not supported.
For example, at the time of this writing, example.com supports the
openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect example.com:443
On the other hand, at the time of this writing, example.com does not support the
openssl s_client -cipher 'RSA_PSK_WITH_AES_256_CBC_SHA384' -connect example.com:443
openssl recommended ciphers
Recommended ciphers include those with strong encryption and preferably supported by TLSv1.3.