SSL/TLS Versions and Ciphers

July 15th, 2007

You can find an introduction to SSL on the mozilla homepage.

serversniff offers an SSL info tool that can be used to identify many things about SSL capabilities remotely. Is something like this also available as a stand-alone tool?

Posted by gpoul at 11:59am CET Filed in Uncategorized
5 Comments »

5 Responses to “SSL/TLS Versions and Ciphers”

  1. wnagele Says:
    July 15th, 2007 at 2:06pm CET

    i’m using openssl cmd-line for this directly. ex: openssl s_client -connect google.com:443

  2. gpoul Says:
    July 15th, 2007 at 6:17pm CET

    @Wolfgang: The way I understood the protocol the client will offer capabilities and the server selects the strongest common cipher suite – So to know which ones the server actually supports remotely as a client would be to repeatedly connect to the servers offering different sets of ciphers.

    I think this was not possible from the command line in openssl, or maybe I missed it :-(

  3. thomas springer Says:
    July 16th, 2007 at 8:13am CET

    gnutls and openssl will do as commandline-tools. other tools are available from thc and foundstone (check with your favourite search-engine), but both of them are outdated and won’t support many newer ciphers and protocols.

    and: the server chooses the ciphersuite and protocol, unless your client doesn’t tell the server to use some other cipher. many servers do support 168Bit 3desbut will offer you rc4 first, for this is a stream-cipher and therefore faster than blockciphers like aes or 3des. all browsers i know are plain happy to use the first protocol and cipher offered from a server.

    and yes: you have to try out every possible cipher/protocol-combination to check a server for supported protocols. TLS supports the change of cipher during the connect, but this would be quite complicated to code and might be not really reliable.

    cheers,

    tom

  4. gpoul Says:
    July 16th, 2007 at 9:25am CET

    @Tom: Thanks for your feedback!

  5. gpoul Says:
    July 16th, 2007 at 11:02am CET

    I wrote a little perl script that is actually doing something, but you still need to redirect stderr to /dev/null to get the output I want because for some reason the redirect in the open() call is not working properly.

    Maybe someone figures it out and can help me :-)

    For me this is “good enough” right now: cipherlist