How to check which ciphersuites are supported and which ciphersuites are enabled on httpd?
Environment
- Red Hat Enterprise Linux
- httpd
- mod_ssl
Issue
- How to check which ciphersuites are supported on httpd?
- How to check which ciphersuites are enabled on httpd?
Resolution
How to check which ciphersuites are supported on httpd?
- The following command is useful to confirm which Ciphers are supported.
$ openssl ciphers -v '<SSLCiphers>'
- For example, if you have following SSLCiphers directive in ssl.conf:
$ SSLCipherSuite ALL:!NULL:!ADH:!EXP:!LOW:!SSLv2
- Then, you can check as follow:
$ openssl ciphers -v 'ALL:!NULL:!ADH:!EXP:!LOW:!SSLv2'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
..............
How to check which ciphersuites are enabled on httpd?
- The cipherscan tool is useful to confirm which Ciphers are enabled.
- Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more.
- For example,
$ ./cipherscan localhost:443
..............
Target: localhost:443
prio ciphersuite protocols pfs curves
1 AECDH-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None ECDH,P-256,256bits prime256v1 server
2 ADH-AES256-GCM-SHA384 TLSv1.2 0 None True 300 False None DH,1024bits None server
3 ADH-AES256-SHA256 TLSv1.2 0 None True 300 False None DH,1024bits None server
4 ADH-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
5 ADH-CAMELLIA256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
6 AECDH-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None ECDH,P-256,256bits prime256v1 server
7 ADH-AES128-GCM-SHA256 TLSv1.2 0 None True 300 False None DH,1024bits None server
8 ADH-AES128-SHA256 TLSv1.2 0 None True 300 False None DH,1024bits None server
9 ADH-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
10 ADH-SEED-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
11 ADH-CAMELLIA128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
12 AECDH-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None ECDH,P-256,256bits prime256v1 server
13 ADH-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
14 AECDH-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None ECDH,P-256,256bits prime256v1 server
15 ADH-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
16 ADH-DES-CBC-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
17 EXP-ADH-DES-CBC-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
18 EXP-ADH-RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False None DH,1024bits None server
19 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 1024 sha1WithRSAEncryption False 300 False None ECDH,P-256,256bits prime256v1 server
20 ECDHE-RSA-AES256-SHA384 TLSv1.2 1024 sha1WithRSAEncryption False 300 False None ECDH,P-256,256bits prime256v1 server
21 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 1024 sha1WithRSAEncryption False 300 False None ECDH,P-256,256bits prime256v1 server
22 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 1024 sha1WithRSAEncryption False 300 False None DH,1024bits None server
23 DHE-RSA-AES256-SHA256 TLSv1.2 1024 sha1WithRSAEncryption False 300 False None DH,1024bits None server
24 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 1024 sha1WithRSAEncryption False 300 False None DH,1024bits None server
..............
- If you want to confirm these ciphers actually works as expected, you can confirm following
$ openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-SHA
CONNECTED(00000003)
..............
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA
..............
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments