Table of Contents

04. How to Check the SSL/TLS ciper suites (with nmap, ssl-cipher-check.pl etc)



nmap - Check the SSL/TLS ciper suites with nmap

# nmap --script=ssl-enum-ciphers -p 443 www.amazon.com

(abbr)
Nmap scan report for www.amazon.com (54.239.26.128)
Host is up (0.16s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ec 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
(abbr)

ssl-cipher-check.pl

http://www.unspecific.com/ssl/

$ ssl-cipher-check.pl  www.example.com
(abbr)
   TLSv1.0:DES-CBC3-SHA - ENABLED - STRONG 168 bits
   TLSv1.0:AES128-SHA - ENABLED - STRONG 128 bits
   TLSv1.0:AES256-SHA - ENABLED - STRONG 256 bits

** SSLv3:DES-CBC3-SHA - ENABLED - WEAK 168 bits **
** SSLv3:AES128-SHA - ENABLED - WEAK 128 bits **
** SSLv3:AES256-SHA - ENABLED - WEAK 256 bits **



*WARNING* 3 WEAK Ciphers Enabled.
*WARNING* 3 Ciphers Enabled Vulnerable to POODLE.
Total Ciphers Enabled: 6
Wed Jan 28 20:57:22 2015 FINISHED

TestSSLServer.jar

http://www.bolet.org/TestSSLServer/

$ java -jar TestSSLServer.jar www3.example.com 443


Check your certificate with Web Tools