List the Supported TLS Cipher Suites on a Host

• Summary
• The Script - get_cipher_suites.sh
  • Cipher Suite Naming Conventions
  • Caveats

Summary

I was recently assigned the task of configuring TLS cipher suite settings on a number of hosts (servers and other devices). Whilst making the configuration changes I required a means of testing which cipher suites were enabled. I needed to be able to quickly and easily repeat the tests until I found the right configuration to achieve the desired outcome, therefore I sought a technique that was relatively performant.

This post details a script I wrote to accomplish the objective.

NB: The script featured in this post is not a substitute for a vulnerability testing and/or compliance checking tool. If you are embarking on a similar endeavour to me, I would suggest running Qualys SSL Labs, Nessus or some such tool against each host once you have finished making your configuration changes.

The Script - get_cipher_suites.sh

get_cipher_suites.sh is a Bash script which can be found here along with usage instructions.

It interrogates a specified target (URL, hostname, IP, etc) and determines which SSL/TLS cipher suites are supported using the OpenSSL command line binary.

Version 0.1.0 has been tested on Ubuntu 16.04.5 LTS, Debian 9.8 and the Windows Subsystem for Linux (Ubuntu 16.04.5 LTS).

Cipher Suite Naming Conventions

Multiple conventions exist for cipher suite naming. Results produced by this script include OpenSSL and IANA nomenclature:

• OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Behind the scenes, this script uses the OpenSSL CLI binary.
• The IANA (Internet Assigned Numbers Authority) maintain the official TLS cipher suites registry. If a cipher suite is approved by experts at the IETF (Internet Engineering Task Force) then the IANA add it to the registry. The name recorded by the IANA resides in the Description field of the registry.

In order to ascertain the IANA cipher suite description of each supported cipher suite for a given target, the script calls convert_ossl_cipher_suite_name_to_iana.sh. Every officially recognised cipher suite has a unique two-byte value assigned. convert_ossl_cipher_suite_name_to_iana.sh takes an openssl formatted cipher suite name, obtains its unique value, performs a lookup against the IANA’s official TLS cipher suites registry (which it downloads as a CSV file) and returns the corresponding IANA description.

convert_ossl_cipher_suite_name_to_iana.sh can be used as a standalone script, EG:

convert_ossl_cipher_suite_name_to_iana.sh -o <openssl_cipher_suite_name> -f <iana_cipher_suite_registry_csv>

Caveats

• The order in which cipher suites are listed in the results is of no significance, it does NOT relate to the host’s preference order.
• As mentioned, this script uses the OpenSSL command line binary. Periodically OpenSSL adds support for new versions of the TLS protocol and removes support for older versions. It is therefore possible for a situation to arise where a target supports a version (or versions) of TLS that the openssl binary does not, in which case such version(s) cannot be inspected by the script.