The openssl ciphers utility is a tool that will display, list, and check supported ciphers. It can test your environment to help you decide which cipher list is appropriate for your setup.
openssl ciphers list
To display a verbose listing of all ciphers, run the following command:
openssl ciphers -v 'ALL:eNULL'
Where -v
is verbose and 'ALL:eNULL'
is all ciphers, including null ciphers.
To list ciphers by algorithm, include the algorithm in quotes. For example, to list ciphers using the RSA algorithm, run the following command:
openssl ciphers -v 'RSA'
To list ciphers using AES, run the following command:
openssl ciphers -v 'AES'
To list ciphers by SSL or TLS protocol version, append the following onto the command in addition to the -s
flag:
-ssl3
for SSLv3
-tls1
for TLSv1
-tls1_1
for TLSv1.1
-tls1_2
for TLSv1.2
-tls1_3
for TLSv1.3
For example, to list all supported ciphers for TLSv1.3, run the following command:
openssl ciphers -v -s -tls1_3
openssl weak ciphers
Weak ciphers include RC4 and DES, so any cipher making use of these algorithms should be disabled. Previously, RC4 was recommended to avoid the BEAST attack. Microsoft has issued a security advisory against using RC4 as well as RFC-7465 prohibiting its use.
To disable ciphers that do not use encryption, prepend an exclamation mark before eNull
. eNull
means no encryption.
openssl ciphers -v 'ALL:!eNULL'
To disable ciphers that do not use authentication, prepend an exclamation mark before aNull
. aNull
means no authentication.
openssl ciphers -v 'ALL:!aNULL'
openssl ciphers check
To check the available ciphers a server will accept, you can use the s_client utility and specify the cipher. If you get a successful connection, you will know the cipher is supported. If you don’t get a connection, you will know the cipher is not supported.
For example, at the time of this writing, example.com supports the ECDHE-RSA-AES256-SHA
cipher.
openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect example.com:443
On the other hand, at the time of this writing, example.com does not support the RSA_PSK_WITH_AES_256_CBC_SHA384
cipher.
openssl s_client -cipher 'RSA_PSK_WITH_AES_256_CBC_SHA384' -connect example.com:443
openssl recommended ciphers
Recommended ciphers include those with strong encryption and preferably supported by TLSv1.3.
Leave a Reply