[problem]
You want to be sure that your web site is only serving 128 bits!
[/problem]
[solution]
Use openssl s_client – with specific ciphers – see the example.
[/solution]
[example]
The following script spins around 40, 56 and 64 bit ciphers – to check the lowest a site allows.
Ideally none of these ciphers should be allowed (check out www.modssl.org for apache config – look for ciphersuite).
openssl_cipher_check will produce the cipher details from the cipher codes returned in connection output.
If you need proxy support with s_client comment on this thread.
#!/bin/bash
[ $# -lt 1 ] && {
echo "$0: site:port"
echo "Usage: $0 www.example.com:443"
exit 0
}
fortyciphers='EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5'
fiftysixciphers='EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5'
sixtyfourciphers='RC4-64-MD5'
grabCipher() {
cipher=$1
site=$2
echo "
GET / HTTP/1.0
EOT
" | openssl s_client -connect $site -cipher $cipher
}
site=$1
echo "$site"
echo $site | sed 's/./-/g'
for na in forty fiftysix sixtyfour
do
eval ciphers="$${na}ciphers"
thiscipher=`grabCipher $ciphers $site 2>&1 | awk ' /Cipher/ { print $NF } '`
[[ $(echo $thiscipher | grep -c "^$") -ne 1 ]] && {
openssl ciphers -v $thiscipher
exit 0
}
done
echo "No 40, 56 or 64 bit ciphers supported"
exit 0
[/example]
[reference]
[tags]Ciphers, 128 bits, openssl s_client, Unix Coding School[/tags]
- Linux Man Pages – s_client command
- Linux Man Pages – openssl command
- Mark Foster’s cool openssl tips
- Paul Heinlein’s excellent and comprehensive openssl tips
[/reference]