I run into a problem of how to check whether my SSL ciphers suites configuration works correctly on my server.
Basically, with openssl, client can verify if the server supports a particular cipher suite using the following command:
openssl s_client -cipher "$cipher" -CAfile ca/ca.crt -connect server:port
# $cipher is the cipher suite name
So it is possible to automatically test all cipher suites supported by openssl against the server using a simple snippet of Bash, i found such script in this site https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers and modify it a little bit. Below is the script:
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if echo $result | grep -q "Verify return code: 0 (ok)"; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done