OpenSSL: Using OpenSSL to enumerate protocols and ciphers in use by web applications


Categories: Linux

Update Feb 2023: enumerating the secure protocols and ciphers of a remote site can be done more efficiently by nmap, as described in my other article here.

While enabling HTTPS is a important step in securing your web application, it is critical that you take steps to disable legacy protocols and low strength ciphers that can circumvent the very security you are attempting to implement.

As long as you have the latest version of openssl then you should be able to use a bash script like below (credit for this script goes here) to enumerate every matching protocol and cipher that a server is exposing.

#!/bin/bash

serverport=$1
echo testing against $serverport

for v in ssl3 tls1 tls1_1 tls1_2; do
  for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
    openssl s_client -connect $serverport \
    -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
  done
done

You would execute the script something like:

chmod 755 checkciphers.sh
.\checkciphers.sh 127.0.01:443

If you want to see all the ciphers being considered, then run the following:

openssl version
openssl ciphers -v

Now that you have a complete matching list of the protocols/ciphers, now you will need to determine which protocols (e.g. sslv3) and low-strength ciphers (e.g. RC4) you want to disable.  You can start research here, here, here, and here.

And realize that hardening a service goes beyond just TLS protocols and ciphers and expands into DHE key size, HTTP headers for strict transport security, secure cookies, and compression.  You can start research here.

Qualys SSL Labs online tester is the most common way of validating the overall score of your publicly exposed service.

 

 

REFERENCES

http://securityevaluators.com/knowledge/blog/20151102-openssl_and_ciphers/

https://www.madboa.com/geek/openssl/#how-do-i-find-out-what-openssl-version-i-m-running

https://www.ssllabs.com/ssltest/

http://blog.rlove.org/2013/12/strong-ssl-crypto.html

https://securityevaluators.com/knowledge/blog/20150119-protocols/

http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

http://security.stackexchange.com/questions/70733/how-do-i-use-openssl-s-client-to-test-for-absence-of-sslv3-support

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

NOTES

Faster way is via nmap and ssl-enum-ciphers script, doc

sudo apt install nmap -y
wget http://nmap.org/svn/scripts/ssl-enum-ciphers.nse
nmap --script ssl-enum-ciphers -p 443 <FQDN>