Enumerating TLS protocol versions and ciphers supported by the peer
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Mon Dec 6 14:11:55 UTC 2021
Hi all,
today I learned that nmap has a nice feature to enumerate the protocol versions and cipher suites supported by the peer (see below).
Is there a comparable elegant way to obtain the same results using the `openssl s_client` tool?
Matthias
--
$ nmap -script ssl-enum-ciphers -p 443 www.openssl.org<http://www.openssl.org>
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-06 15:05 CET
Nmap scan report for www.openssl.org<http://www.openssl.org> (96.16.136.61)
Host is up (0.0041s latency).
Other addresses for www.openssl.org<http://www.openssl.org> (not scanned): 2a02:26f0:1700:393::c1e 2a02:26f0:1700:380::c1e
rDNS record for 96.16.136.61: a96-16-136-61.deploy.static.akamaitechnologies.com
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211206/12e4ef11/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7448 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211206/12e4ef11/attachment-0001.bin>
More information about the openssl-users
mailing list