A very simple way to find out which SSL ciphersuites are supported by a target.
Find a file
Hubert Kario 4e0e03b61e make default output more narrow
If server uses the same certificate for all connections, it's
useless to print the same information over and over.

In such case, omit those columns and print a summary at the end
2014-04-06 18:01:13 +02:00
top1m added many tests 2014-01-11 01:07:32 +00:00
cipherscan make default output more narrow 2014-04-06 18:01:13 +02:00
openssl Rebuilt openssl to support ChaCha20/Poly1305. Test against google servers. 2014-01-31 10:22:21 -05:00
OpenSSL-LICENSE Added OpenSSL License 2013-11-05 15:53:55 -05:00
README.md update README with new examples 2014-04-05 19:40:19 +02:00

CipherScan

A very simple way to find out which SSL ciphersuites are supported by a target.

On Linux x86_64 run: ./cipherscan www.google.com:443 On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443 and watch.

The newer your version of openssl, the better results you'll get. Versions of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.

Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.

Build OpenSSL with ChaCha20-Poly1305 support (Optional)

The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, the snapshot from the OpenSSL gitweb view and build it like this:

./config no-shared
make

And get the binary from app/openssl. (./config will ask you to run make depend which will fail - for our purposes this step is not required)

Options

-a | --allciphers   Test all known ciphers individually at the end.
-b | --benchmark    Activate benchmark mode.
-d | --delay        Pause for n seconds between connections
-D | --debug        Output ALL the information.
-h | --help         Shows this help text.
-j | --json         Output results in JSON format.
-o | --openssl      path/to/your/openssl binary you want to use.
-v | --verbose      Increase verbosity.

Example

Testing plain SSL/TLS:

linux $ ./cipherscan www.google.com:443
...................
prio  ciphersuite                  protocols                    pubkey_size  signature_algorithm    trusted  pfs_keysize
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                      2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
3     ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2              2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
4     ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
5     AES128-GCM-SHA256            TLSv1.2                      2048         sha1WithRSAEncryption  True
6     AES128-SHA256                TLSv1.2                      2048         sha1WithRSAEncryption  True
7     AES128-SHA                   TLSv1.1,TLSv1.2              2048         sha1WithRSAEncryption  True
8     RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True
9     RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True
10    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
11    ECDHE-RSA-AES256-SHA384      TLSv1.2                      2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
12    ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
13    AES256-GCM-SHA384            TLSv1.2                      2048         sha1WithRSAEncryption  True
14    AES256-SHA256                TLSv1.2                      2048         sha1WithRSAEncryption  True
15    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True
16    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits
17    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True
18    ECDHE-RSA-AES128-SHA256      TLSv1.2                      2048         sha1WithRSAEncryption  True     ECDH,P-256,256bits

Testing STARTTLS:

darwin $ ./cipherscan -o ./openssl-mine -starttls xmpp jabber.ccc.de:5222
.........
prio  ciphersuite           protocols    pubkey_size  signature_algorithm    trusted  pfs_keysize
1     DHE-RSA-AES256-SHA    SSLv3,TLSv1  2048         sha1WithRSAEncryption  False    DH,1024bits
2     AES256-SHA            SSLv3,TLSv1  2048         sha1WithRSAEncryption  False
3     EDH-RSA-DES-CBC3-SHA  SSLv3,TLSv1  2048         sha1WithRSAEncryption  False    DH,1024bits
4     DES-CBC3-SHA          SSLv3,TLSv1  2048         sha1WithRSAEncryption  False
5     DHE-RSA-AES128-SHA    SSLv3,TLSv1  2048         sha1WithRSAEncryption  False    DH,1024bits
6     AES128-SHA            SSLv3,TLSv1  2048         sha1WithRSAEncryption  False
7     RC4-SHA               SSLv3,TLSv1  2048         sha1WithRSAEncryption  False
8     RC4-MD5               SSLv3,TLSv1  2048         sha1WithRSAEncryption  False