14 July 2011

Testing an SSL-enabled service for cipher strength

Vulnerability scans sometimes find that an SSL-enabled service allows clients to connect using ciphers which have key lengths shorter than 128 bits. Most services have configuration directives to disable these connections. Here's how to test a service for key length (without doing a new nessus scan, or whatever).

openssl ciphers -v

This gives a list of ciphers that the openssl client can use, and the output indicates the key length. openssl's s_client command can take an argument which specifies the cipher(s) to use. So after reconfiguring the server, run the following two commands (the first should fail, and the second should succeed):

openssl s_client -ign_eof -connect target:port -cipher RC4-MD5

openssl s_client -ign_eof -connect target:port -cipher DHE-RSA-AES256-SHA

(You should replace target:port with something like www.example.com:443)