3

How can I obtain a list of ciphers supported by a remote server via a Java JSSE environment.

I want to get a list of weak ciphers supported by the remote server, so that they can be fixed.

I am using SSLSocket, which has a method called getSupportedCipherSuites, but this method returns ciphers that are supported by the client, not a remote server.

Chris W.
  • 1,680
  • 16
  • 35
superzoom
  • 461
  • 1
  • 6
  • 8

2 Answers2

2

You can't get a list of the supported cipher suites, but you can get the server's enabled weak cipher suites, as follows:

  1. Enable all the weak cipher suites at your client, and none of the strong ones.
  2. Have your client connect and call startHandshake().
  3. If that succeeds, the server has chosen a weak cipher suite, which you can get from the SSLSession. Remove that from the enabled cipher suites and repeat.

All the handshakes at (2) which succeed indicate that the corresponding weak cipher suite is enabled at the server. If there are zero, good. Otherwise print out the succeeding cipher suites and act accordingly.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • there is very blure line between Good and bad, can you provide me with a list of not allowed or bad ciphers please ? – superzoom Mar 21 '12 at 15:43
  • @superzoom There isn't a 'blur line' at all. The set of weak cipher suites is completely defined: it is the cipher suites that are supported but not enabled by default. You can get both sets from the SSSSocket and therefore you can form the difference set, which is the set of weak ciphers. – user207421 Mar 23 '12 at 06:00
  • @superzoom And if you think there is a 'blurry line' what exactly is your question about? – user207421 Nov 29 '19 at 19:48
-2

You can try gnutls-cli

Peter Penzov
  • 1,126
  • 134
  • 430
  • 808