• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl ciphers

April 13, 2020 by Mister PKI Leave a Comment

The openssl ciphers utility is a tool that will display, list, and check supported ciphers. It can test your environment to help you decide which cipher list is appropriate for your setup.

openssl ciphers list

To display a verbose listing of all ciphers, run the following command:

openssl ciphers -v 'ALL:eNULL'

Where -v is verbose and 'ALL:eNULL' is all ciphers, including null ciphers.

To list ciphers by algorithm, include the algorithm in quotes. For example, to list ciphers using the RSA algorithm, run the following command:

openssl ciphers -v 'RSA'

To list ciphers using AES, run the following command:

openssl ciphers -v 'AES'

To list ciphers by SSL or TLS protocol version, append the following onto the command in addition to the -s flag:

-ssl3 for SSLv3

-tls1 for TLSv1

-tls1_1 for TLSv1.1

-tls1_2 for TLSv1.2

-tls1_3 for TLSv1.3

For example, to list all supported ciphers for TLSv1.3, run the following command:

openssl ciphers -v -s -tls1_3

openssl weak ciphers

Weak ciphers include RC4 and DES, so any cipher making use of these algorithms should be disabled. Previously, RC4 was recommended to avoid the BEAST attack. Microsoft has issued a security advisory against using RC4 as well as RFC-7465 prohibiting its use.

To disable ciphers that do not use encryption, prepend an exclamation mark before eNull. eNull means no encryption.

openssl ciphers -v 'ALL:!eNULL'

To disable ciphers that do not use authentication, prepend an exclamation mark before aNull. aNull means no authentication.

openssl ciphers -v 'ALL:!aNULL'

openssl ciphers check

To check the available ciphers a server will accept, you can use the s_client utility and specify the cipher. If you get a successful connection, you will know the cipher is supported. If you don’t get a connection, you will know the cipher is not supported.

For example, at the time of this writing, example.com supports the ECDHE-RSA-AES256-SHA cipher.

openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect example.com:443

On the other hand, at the time of this writing, example.com does not support the RSA_PSK_WITH_AES_256_CBC_SHA384 cipher.

openssl s_client -cipher 'RSA_PSK_WITH_AES_256_CBC_SHA384' -connect example.com:443

openssl recommended ciphers

Recommended ciphers include those with strong encryption and preferably supported by TLSv1.3.

Read more of our content.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Firewall Redhat
  • How to Install ColdFusion on Linux
  • Ubuntu unattended upgrades
  • openssl verify – Verify a certificate and certificate chain
  • NetScaler ADC configuration history

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023