0

Aside from using openSSL command line to check that the server does not support the ciphers 

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

source:https://conetrix.com/Blog/disabling-and-verifying-sslv2-and-weak-ciphers-in-iis

I was wondering if there're other ways to really make sure that the ciphers, if disabled, are no longer used by the server?

mopkaloppt
  • 40
  • 1
  • 6
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Sep 16 '16 at 14:51
  • Try `-cipher 'HIGH:!aNULL:!MD5:!RC4'`. The single quotes are needed to ensure the bang is not interpreted by the shell. Also see tools like [SSL-Scan](https://github.com/rbsec/sslscan), and SSL Lab's scanner at [ssllabs-scan](https://github.com/ssllabs/ssllabs-scan). – jww Sep 16 '16 at 14:55

1 Answers1

1

Another way is using Nmap (you might have to install it). It is a utility for network discovery and security auditing.

Nmap (I've tried v5.51) comes with a set of [Nmap]: NSE scripts designed to automate a wide variety of networking tasks.

One of them is [Nmap]: Script ssl-enum-ciphers. Basically it does the same thing you described: it tries to open connections to the server using different ciphers and creates a report based on the server's response (accept / reject connection).

A sample run could be: nmap --script ssl-enum-ciphers -p${PORT} ${HOST}.

For more info type: nmap --help.

CristiFati
  • 38,250
  • 9
  • 50
  • 87
  • Thank you for your answer CristiFati :) – mopkaloppt Sep 16 '16 at 09:37
  • It did. Also it seems like it gives a more accurate result compared to openSSL command I posted above. By that I mean when I try switching over from one cipher suite to another, nmap would know and show exactly the name of the cipher being used whereas openSSL did not show the exact cipher I'm using. Most of the time it also didn't show the correct strength level of the cipher suites either. – mopkaloppt Sep 19 '16 at 02:56
  • Then, please mark it as answer (so the question is closed/solved). – CristiFati Sep 19 '16 at 09:05
  • One note: I find the way _OpenSSL_ deals with ciphers a little bit odd (or it could it be because I'm missing something)... for example according to [`SSL_CTX_set_cipher_list`](https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_cipher_list.html): _`SSL_CTX_set_cipher_list()` and `SSL_set_cipher_list()` return 1 if **any** cipher could be selected and 0 on complete failure._. I couldn't find a way to retrieve which cipher is selected. – CristiFati Sep 19 '16 at 09:24
  • Hey yea I haven't gone that far into trying the example you're talking about. But I've also noticed that openSSL doesn't tell you exactly which cipher is selected. For the deployed device I'm working on testing the weak ciphers, there can be multiple cipher suites enabled at the same time but the device would choose, by the default, the first cipher in the ciphers list to be used then it moves on to others down the list one by one. OpenSSL, I guess, would only check if the enabled ciphers are supported by the server and thus could be selected. Anyways I marked your answer already :) – mopkaloppt Sep 20 '16 at 03:03