Mister PKI

All things PKI, HTTPS, SSL, TLS, Digital Certificates

by Leave a Comment

The openssl ciphers utility is a tool that will display, list, and check supported ciphers. It can test your environment to help you decide which cipher list is appropriate for your setup.

openssl ciphers list

To display a verbose listing of all ciphers, run the following command:

openssl ciphers -v 'ALL:eNULL'

Where -v is verbose and 'ALL:eNULL' is all ciphers, including null ciphers.

To list ciphers by algorithm, include the algorithm in quotes. For example, to list ciphers using the RSA algorithm, run the following command:

openssl ciphers -v 'RSA'

To list ciphers using AES, run the following command:

openssl ciphers -v 'AES'

To list ciphers by SSL or TLS protocol version, append the following onto the command in addition to the -s flag:

-ssl3 for SSLv3

-tls1 for TLSv1

-tls1_1 for TLSv1.1

-tls1_2 for TLSv1.2

-tls1_3 for TLSv1.3

For example, to list all supported ciphers for TLSv1.3, run the following command:

openssl ciphers -v -s -tls1_3

openssl weak ciphers

Weak ciphers include RC4 and DES, so any cipher making use of these algorithms should be disabled. Previously, RC4 was recommended to avoid the BEAST attack. Microsoft has issued a security advisory against using RC4 as well as RFC-7465 prohibiting its use.

To disable ciphers that do not use encryption, prepend an exclamation mark before eNull. eNull means no encryption.

openssl ciphers -v 'ALL:!eNULL'

To disable ciphers that do not use authentication, prepend an exclamation mark before aNull. aNull means no authentication.

openssl ciphers -v 'ALL:!aNULL'

openssl ciphers check

To check the available ciphers a server will accept, you can use the s_client utility and specify the cipher. If you get a successful connection, you will know the cipher is supported. If you don’t get a connection, you will know the cipher is not supported.

For example, at the time of this writing, example.com supports the ECDHE-RSA-AES256-SHA cipher.

openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect example.com:443

On the other hand, at the time of this writing, example.com does not support the RSA_PSK_WITH_AES_256_CBC_SHA384 cipher.

openssl s_client -cipher 'RSA_PSK_WITH_AES_256_CBC_SHA384' -connect example.com:443

openssl recommended ciphers

Recommended ciphers include those with strong encryption and preferably supported by TLSv1.3.

Read more of our content.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *