Enumerating TLS protocol versions and ciphers supported by the peer

Mark Hack markhack at markhack.com
Tue Dec 7 21:48:57 UTC 2021


Look at https://testssl.sh/
That is an openssl wrapper which enumerates ciphers and protocols ( and
a whole lot more)
Hexcode  Cipher Suite Name
(OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name
(IANA/RFC)-------------------------------------------------------------
----------------------------------------------------------------
SSLv2  SSLv3  TLS 1  TLS 1.1  TLS 1.2   xc030   ECDHE-RSA-AES256-GCM-
SHA384       ECDH
521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384       
        xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH
521   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256       
       TLS 1.3   x1302   TLS_AES_256_GCM_SHA384            ECDH
521   AESGCM      256      TLS_AES_256_GCM_SHA384                      
        x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH
521   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                
        x1301   TLS_AES_128_GCM_SHA256            ECDH
521   AESGCM      128      TLS_AES_128_GCM_SHA256     

On Mon, 2021-12-06 at 15:06 +0000, Michael Wojcik wrote:
> > From: Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
> > Sent: Monday, 6 December, 2021 07:53
> > To: Michael Wojcik <Michael.Wojcik at microfocus.com>; openssl-
> > 
> > 
> > > "Comparable elegant" is underspecified.
> > 
> > (I guess, "Comparably elegant" would have been grammatically more
> > correct.)
> 
> I just meant that elegance is in the eye of the beholder.
> 
> Many people might agree that having a single command line return the
> list of what suites the server supports is elegant, at least for the
> user. Others prefer the original UNIX philosophy of simpler tools
> which are scripted to perform more complex operations; that's the
> testssl.sh approach, and it's more elegant in the sense of being
> composed in a visible (and modifiable) way from smaller pieces.
> 
> A command-line option to s_client to do this sort of server profiling
> is conceivable, but it would be a significant departure from what
> s_client does now, since it would conflict with some other options
> and would involve making multiple connections. That doesn't mean it
> shouldn't be implemented, necessarily, just that it's not parallel to
> most of the other things s_client options do.
> 
> -- 
> Michael Wojcik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211207/c4ad0565/attachment-0001.htm>


More information about the openssl-users mailing list