List the Supported TLS Cipher Suites on a Host


I was recently assigned the task of configuring TLS cipher suite settings on a number of hosts (servers and other devices). Whilst making the configuration changes I required a means of testing which cipher suites were enabled. I needed to be able to quickly and easily repeat the tests until I found the right configuration to achieve the desired outcome, therefore I sought a technique that was relatively performant.

This post details a script I wrote to accomplish the objective.

NB: The script featured in this post is not a substitute for a vulnerability testing and/or compliance checking tool. If you are embarking on a similar endeavour to me, I would suggest running Qualys SSL Labs, Nessus or some such tool against each host once you have finished making your configuration changes.

The Script - is a Bash script which can be downloaded here together with full instructions.

It interrogates a specified target (URL, hostname, IP, etc) and determines which SSL/TLS cipher suites are supported using the OpenSSL command line binary.

Version 0.1.0 has been tested on Ubuntu 16.04.5 LTS, Debian 9.8 and the Windows Subsystem for Linux (Ubuntu 16.04.5 LTS).

Cipher Suite Naming Conventions

Multiple conventions exist for cipher suite naming. Results produced by this script include OpenSSL and IANA nomenclature:

In order to ascertain the IANA cipher suite description of each supported cipher suite for a given target, the script calls Every officially recognised cipher suite has a unique two-byte value assigned. takes an openssl formatted cipher suite name, obtains its unique value, performs a lookup against the IANA’s official TLS cipher suites registry (which it downloads as a CSV file) and returns the corresponding IANA description. can be used as a standalone script, EG: -o <openssl_cipher_suite_name> -f <iana_cipher_suite_registry_csv>



Leaving comments has been disabled for this post.

Copyright © 2018 - 2022
For details, see Licences and Copyright