How to determine SSL cipher suites supported by the web-server

Determine SSL cipher suites supported by the web-server using OpenSSL.

Shell script

Bourne Again SHell shell script.

#!/usr/bin/env bash
# Determine SSL cipher suites supported by the web-server

# exit immediately on non-zero status 
#set -e

# display usage
usage() {
  echo "Usage: $(basename $0) -s server [-p port] [-c cipher] [-t tls_version] [-d] "
}

# get openssl param for specific TLS version
get_tls_param() {
  case "$1" in
    "SSLv3") protocol_version_param="-tls1_3" ;; # override sslv3
    "TLSv1") protocol_version_param="-tls1_1" ;;
    "TLSv1.2") protocol_version_param="-tls1_2" ;;
    "TLSv1.3") protocol_version_param="-tls1_3" ;;
    *) exit 1 
  esac
  echo $protocol_version_param
}

# initial values
server_option=""
port_option="443"
debug_option=0
cipher_option=""
tls_option=""

# parse parameters
while getopts ":s:p:c:t:d" option; do
  case "${option}"	in
    "s") server_option="$OPTARG" ;;
    "c") cipher_option="$OPTARG" ;;
    "t") tls_option="$OPTARG" ;;
    "d") debug_option="1" ;;
    "?") usage; exit 1 ;;
  esac
done

# ensure that server is provided
if [ -z "${server_option}" ]; then
  usage
  exit 1
fi

if [ -n "$cipher_option" ]; then\
  cipher_param="-ciphersuites $cipher_option NULL"
else
  cipher_param=""
fi

while read cipher_line; do
  if [ -z "$cipher_line" ]; then
    echo "Error: cipher not reconized"
    continue
  fi
  if [ -z "$tls_option" ]; then
    protocol_version_param="$(get_tls_param "$protocol_version")"
    protocol_version=$(echo $cipher_line | awk '{print $4}')
  else
    protocol_version_param="$(get_tls_param "$tls_option")"
    protocol_version="$tls_option (parameter)"
  fi

  standard_cipher_name=$(echo $cipher_line | awk '{print $1}')
  cipher_name=$(echo $cipher_line | awk '{print $3}')
  key_exchange=$(echo $cipher_line | awk '{split($5,m,"=");print m[2]}')
  authentication=$(echo $cipher_line | awk '{split($6,m,"=");print m[2]}')
  symmetric_encryption_method=$(echo $cipher_line | awk '{split($7,m,"=");print m[2]}')
  message_authentication_method=$(echo $cipher_line | awk '{split($8,m,"=");print m[2]}')

  echo "${standard_cipher_name}"
  if [ "${debug_option}" -eq "1" ]; then
    echo "  Cipher name: ${cipher_name}"
    if [ "$protocol_version" == "SSLv3" ]; then
      echo "  Protocol version: TLSv1.3 (instead of $protocol_version)"
    else
      echo "  Protocol version: $protocol_version"
    fi
    echo "  Key exchange: ${key_exchange}"
    echo "  Authentication: ${authentication}"
    echo "  Symmetric encryption method: ${symmetric_encryption_method}"
    echo "  Message authentication method: ${message_authentication_method}"
  fi

  error_message="$(echo -n | openssl s_client $protocol_version_param -cipher $cipher_name -servername $server_option -connect $server_option:$port_option 2>&1 | grep :error:)"
  if [ -z "$error_message" ]; then
    echo "  Status: connected"
  else
    echo "  Status: NOT connected"
    echo "  Error: $(echo $error_message | awk -F: '{print $4 " - " $5 " - " $6}')"
  fi
done <<< $(openssl ciphers -s -stdname $cipher_param 2>/dev/null)

Usage

Check specific server, cipher, protocol version and include debug information.

$ check-ssl-ciphers.sh -s example.org -c TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -t TLSv1_2 -d
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  Cipher name: ECDHE-ECDSA-AES128-GCM-SHA256
  Protocol version: TLSv1_2 (parameter)
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AESGCM(128)
  Message authentication method: AEAD
  Status: connected

Check nonexisting server.

$ check-ssl-ciphers.sh -s nonexisting.example.org -c TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -t TLSv1_2 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  Status: NOT connected
  Error: BIO routines - BIO_lookup_ex - system lib

Check specific server using default cipher suites and include debug information.

$ check-ssl-ciphers.sh -s example.org -d
TLS_AES_256_GCM_SHA384
  Cipher name: TLS_AES_256_GCM_SHA384
  Protocol version: TLSv1.3
  Key exchange: any
  Authentication: any
  Symmetric encryption method: AESGCM(256)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - SSL_CTX_set_cipher_list - no cipher match
TLS_CHACHA20_POLY1305_SHA256
  Cipher name: TLS_CHACHA20_POLY1305_SHA256
  Protocol version: TLSv1.3
  Key exchange: any
  Authentication: any
  Symmetric encryption method: CHACHA20/POLY1305(256)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - SSL_CTX_set_cipher_list - no cipher match
TLS_AES_128_GCM_SHA256
  Cipher name: TLS_AES_128_GCM_SHA256
  Protocol version: TLSv1.3
  Key exchange: any
  Authentication: any
  Symmetric encryption method: AESGCM(128)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - SSL_CTX_set_cipher_list - no cipher match
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  Cipher name: ECDHE-ECDSA-AES256-GCM-SHA384
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AESGCM(256)
  Message authentication method: AEAD
  Status: connected
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  Cipher name: ECDHE-RSA-AES256-GCM-SHA384
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: AESGCM(256)
  Message authentication method: AEAD
  Status: connected
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  Cipher name: DHE-RSA-AES256-GCM-SHA384
  Protocol version: TLSv1.2
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: AESGCM(256)
  Message authentication method: AEAD
  Status: connected
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  Cipher name: ECDHE-ECDSA-CHACHA20-POLY1305
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: CHACHA20/POLY1305(256)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  Cipher name: ECDHE-RSA-CHACHA20-POLY1305
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: CHACHA20/POLY1305(256)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  Cipher name: DHE-RSA-CHACHA20-POLY1305
  Protocol version: TLSv1.2
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: CHACHA20/POLY1305(256)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  Cipher name: ECDHE-ECDSA-AES128-GCM-SHA256
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AESGCM(128)
  Message authentication method: AEAD
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  Cipher name: ECDHE-RSA-AES128-GCM-SHA256
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: AESGCM(128)
  Message authentication method: AEAD
  Status: connected
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  Cipher name: DHE-RSA-AES128-GCM-SHA256
  Protocol version: TLSv1.2
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: AESGCM(128)
  Message authentication method: AEAD
  Status: connected
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  Cipher name: ECDHE-ECDSA-AES256-SHA384
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA384
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  Cipher name: ECDHE-RSA-AES256-SHA384
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA384
  Status: connected
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  Cipher name: DHE-RSA-AES256-SHA256
  Protocol version: TLSv1.2
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA256
  Status: connected
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  Cipher name: ECDHE-ECDSA-AES128-SHA256
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA256
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  Cipher name: ECDHE-RSA-AES128-SHA256
  Protocol version: TLSv1.2
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA256
  Status: connected
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  Cipher name: DHE-RSA-AES128-SHA256
  Protocol version: TLSv1.2
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA256
  Status: connected
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  Cipher name: ECDHE-ECDSA-AES256-SHA
  Protocol version: TLSv1
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA1
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  Cipher name: ECDHE-RSA-AES256-SHA
  Protocol version: TLSv1
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA1
  Status: connected
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  Cipher name: DHE-RSA-AES256-SHA
  Protocol version: TLSv1.3 (instead of SSLv3)
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA1
  Status: connected
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  Cipher name: ECDHE-ECDSA-AES128-SHA
  Protocol version: TLSv1
  Key exchange: ECDH
  Authentication: ECDSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA1
  Status: connected
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  Cipher name: ECDHE-RSA-AES128-SHA
  Protocol version: TLSv1
  Key exchange: ECDH
  Authentication: RSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA1
  Status: connected
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  Cipher name: DHE-RSA-AES128-SHA
  Protocol version: TLSv1.3 (instead of SSLv3)
  Key exchange: DH
  Authentication: RSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA1
  Status: connected
TLS_RSA_WITH_AES_256_GCM_SHA384
  Cipher name: AES256-GCM-SHA384
  Protocol version: TLSv1.2
  Key exchange: RSA
  Authentication: RSA
  Symmetric encryption method: AESGCM(256)
  Message authentication method: AEAD
  Status: connected
TLS_RSA_WITH_AES_128_GCM_SHA256
  Cipher name: AES128-GCM-SHA256
  Protocol version: TLSv1.2
  Key exchange: RSA
  Authentication: RSA
  Symmetric encryption method: AESGCM(128)
  Message authentication method: AEAD
  Status: connected
TLS_RSA_WITH_AES_256_CBC_SHA256
  Cipher name: AES256-SHA256
  Protocol version: TLSv1.2
  Key exchange: RSA
  Authentication: RSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA256
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_RSA_WITH_AES_128_CBC_SHA256
  Cipher name: AES128-SHA256
  Protocol version: TLSv1.2
  Key exchange: RSA
  Authentication: RSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA256
  Status: NOT connected
  Error: SSL routines - ssl3_read_bytes - sslv3 alert handshake failure
TLS_RSA_WITH_AES_256_CBC_SHA
  Cipher name: AES256-SHA
  Protocol version: TLSv1.3 (instead of SSLv3)
  Key exchange: RSA
  Authentication: RSA
  Symmetric encryption method: AES(256)
  Message authentication method: SHA1
  Status: connected
TLS_RSA_WITH_AES_128_CBC_SHA
  Cipher name: AES128-SHA
  Protocol version: TLSv1.3 (instead of SSLv3)
  Key exchange: RSA
  Authentication: RSA
  Symmetric encryption method: AES(128)
  Message authentication method: SHA1
  Status: connected

This is a simple shell script just to illustrate the idea.