List the Supported TLS Cipher Suites on a Host

Summary

I was recently assigned the task of configuring TLS cipher suite settings on a number of hosts (servers and other devices). Whilst making the configuration changes I required a means of testing which cipher suites were enabled. I needed to be able to quickly and easily repeat the tests until I found the right configuration to achieve the desired outcome, therefore I sought a technique that was relatively performant.

This post details a script I wrote to accomplish the objective.

NB: The script featured in this post is not a substitute for a vulnerability testing and/or compliance checking tool. If you are embarking on a similar endeavour to me, I would suggest running Qualys SSL Labs, Nessus or some such tool against each host once you have finished making your configuration changes.

The Script - get_cipher_suites.sh

get_cipher_suites.sh is a Bash script which can be downloaded here together with full instructions.

It interrogates a specified target (URL, hostname, IP, etc) and determines which SSL/TLS cipher suites are supported using the OpenSSL command line binary.

Version 0.1.0 has been tested on Ubuntu 16.04.5 LTS, Debian 9.8 and the Windows Subsystem for Linux (Ubuntu 16.04.5 LTS).

Cipher Suite Naming Conventions

Multiple conventions exist for cipher suite naming. Results produced by this script include OpenSSL and IANA nomenclature:

In order to ascertain the IANA cipher suite description of each supported cipher suite for a given target, the script calls convert_ossl_cipher_suite_name_to_iana.sh. Every officially recognised cipher suite has a unique two-byte value assigned. convert_ossl_cipher_suite_name_to_iana.sh takes an openssl formatted cipher suite name, obtains its unique value, performs a lookup against the IANA’s official TLS cipher suites registry (which it downloads as a CSV file) and returns the corresponding IANA description.

convert_ossl_cipher_suite_name_to_iana.sh can be used as a standalone script, EG:

convert_ossl_cipher_suite_name_to_iana.sh -o <openssl_cipher_suite_name> -f <iana_cipher_suite_registry_csv>

Caveats

0 Comments

Post a comment

All comments are held for moderation.
Your email address will not be published. Required fields are marked *

Identification
Email
Name *
Website

Copyright © 2018 - 2020 thecliguy.co.uk
For details, see Licences and Copyright