This is my public notebook.
Recently helping a friend that was facing problems using some government API between the test and production environment, I suspected that the issue was related to the SSL/TLS version that was enabled on both sites. Here are some handy scripts for checking that setting on remote sites.
nmap --script ssl-enum-ciphers -p 443 nmz.me
And here’s the output
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-16 17:51 -03
Nmap scan report for nmz.me (104.27.148.109)
Host is up (0.28s latency).
Other addresses for nmz.me (not scanned): 172.67.199.116 104.27.149.109 2606:4700:3034::681b:956d 2606:4700:3036::681b:946d 2606:4700:3036::ac43:c774
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
Here’s another handy script in case you don’t have nmap installed. (Found on StackOverflow)
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
And this is the sample output:
➜ scripts git:(master) ✗ ./show_ssl_ciphers.sh wsaahomo.afip.gov.ar:443
Obtaining cipher list from OpenSSL 1.1.1f 31 Mar 2020.
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list)
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing DHE-DSS-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-GCM-SHA384...NO (141A318A)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-CCM...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-CCM...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-DSS-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ADH-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing DHE-DSS-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-GCM-SHA256...NO (141A318A)
Testing ECDHE-ECDSA-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-CCM...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-CCM...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA384...YES
Testing DHE-RSA-AES256-SHA256...NO (141A318A)
Testing DHE-DSS-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA256...YES
Testing DHE-RSA-AES128-SHA256...NO (141A318A)
Testing DHE-DSS-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA...YES
Testing DHE-RSA-AES256-SHA...NO (141A318A)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA...YES
Testing DHE-RSA-AES128-SHA...NO (141A318A)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CCM...NO (sslv3 alert handshake failure)
Testing RSA-PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-GCM-SHA384...YES
Testing AES256-CCM8...NO (sslv3 alert handshake failure)
Testing AES256-CCM...NO (sslv3 alert handshake failure)
Testing ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CCM...NO (sslv3 alert handshake failure)
Testing PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CCM...NO (sslv3 alert handshake failure)
Testing RSA-PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-GCM-SHA256...YES
Testing AES128-CCM8...NO (sslv3 alert handshake failure)
Testing AES128-CCM...NO (sslv3 alert handshake failure)
Testing ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CCM...NO (sslv3 alert handshake failure)
Testing PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES256-SHA256...YES
Testing CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA256...YES
Testing CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-RSA-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-RSA-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA...YES
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA...NO (sslv3 alert handshake failure)