Developer notes, on programming, linux, and a developer's day to day life
The most common implementation of SSL is OpenSSL. This document will try to explain a few SSL concepts and show useful commands to test and troubleshoot SSL connections.
A cipher in SSL has a name. A typical name is ECDHE-RSA-AES256-GCM-SHA384. The name is consisted of parts, that in order signify the following:
So for the sample cipher one can deduce that:
Lists ciphers supported by OpenSSL:
$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384...
Protocols define how an encrypted connectio is initiated. Typically, one would find the following protocols:
Not all protocols support all ciphers. By requesting a ciphers verbose output, the protocols are printed as well:
$yannis@ouranos:~$ openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
...
$ openssl s_client -connect host:port {protocol} {cipher}
| {protocol}:= [-ssl2 | -ssl3 | -tls1 | -tls1_1 | -tls1_2] |
To probe a server for accepted protocols and ciphers, the Nmap tool has a really nifty script/command to do so:
nmap --script ssl-enum-ciphers