Or more verbosely: $ openssl ciphers -v ECDH aRSA HIGHĮCDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEADĮCDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384ĮCDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1ĮCDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEADĮCDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256ĮCDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1ĮCDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1įor more information, read the ciphers manual page. What does this expand to? The openssl ciphers command can be used for this purpose: $ openssl ciphers ECDH aRSA HIGHĮCDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA Here is an example of a cipher list specification that requires authenticated empheral ECDH key agreement (ECDH), RSA for authentication and only cipher suites that are considered of "high" encryption: openssl s_client -cipher ECDH aRSA HIGH -connect :443 The above list specifies two specific ciphers. Example: openssl s_client -cipher ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384 \ You can pass multiple ciphers using a space, comma or colon separator. This is not a single item, but a specification and can also be used for the nginx ssl_ciphers option, or the Apache SSLCipherSuite option. Here is a one liner to get the entire chain in a file. Append the -showcerts option to see the entire certificate chain that is sent. New, TLSv1.As Steffen Ullrich has mentioned, you can pass a list of ciphers to the -cipher option of s_client. The command to test a server with TLSv1.3 specificly is: echo openssl sclient -tls13 -connect :443. #OPENSSL SCLIENT CONNECT VERIFICATION#Verification error: unable to verify the first certificate SSL handshake has read 2372 bytes and written 378 bytes QH8rRinR9ThrofvDodvRThw16DTS圜tR3uCgbLRQwj1xZCLOnqSxQeu3DDLQoDwaĤ/8W5N4nT1se8NKHmZCsYfazB2/der58WiA21tUecb TX2d9lhsnx7ARh9UJ7DoPĬA6xUn3VYHEFmwa1Q4i11qNN4Ms560aOy2bGkYRNIB260/oIdyRr80/CS/aPFvd9Ĭlient Certificate Types: RSA sign, DSA sign, ECDSA sign TBvAjPHDe2zn3UxpeKm7Rr392pyH hkHgzG5YQhpY17z2PWj/3/gO ZKoseChIM0 X2EMPMv8Nm6q6SqF49fgEsyr93bAaRIUaDfFONFhuKxgRAAnMqbnB1RtnyJIbMeX OEkcK2Et1XG0hmqeRvpIq9isO1P9zsHQxkEV4UNKgyV7Lg8vrkxUa7cWT9s fHuzģ7kFYhNAnMtnO1 sX8sHyRMem9LOujaQSL9iAFVmDhwBIr2tNyOD8PK xgdUh6Lc U00pJ7SVgMOeuxwsDSuN9HTaEw/ycfXzMZxu/eithM5kwW8QCh/PsnpVuVVKrwVE LyUndfk/JA88/QxbedhoDHiriLTa/NMuz2 CHj14eiz7CGfJ4M5gehy 5tB7229J T2nTKgtZdSIojZIGKyST2ijHEsJ60ftxY3gNmpnzCrZgb imxu7 x1kBFCZoJq D ZqavszAdBgNVHQ4EFgQUxdTlLdy0Iq9S al5/maKiuf2N kwDAYDVR0TAQH/BAIwĪDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDĪgWgMA0GCSqGSIb3DQEBCwUAA4ICAQCNl vErR8z99l0bOfmhoTKO/ggNTd0MjGs R58zExkCAwEAAaOBtjCBszAxBglghkgBhvhCAQ0EJBYiUHVwcGV0IFNlcnZlciBJīnRlcm5hbCBDZXJ0aWZpY2F0ZTAfBgNVHSMEGDAWgBQvdlQ/NXXHuXb ZbyEtj6Z RkoBdmvgu/jzI6RCp04zE25FBXwTeEN4wkuVTIQxBMdIiWHhckv8HpGUDE786VMQ Tk4RAIMqxAhohodEPRr2HXqhJPAQZCXUteRvCbGxwEVtU6CD2IMGocbLv5LQlUv/ġQbcDndbqhVs V8VtJq2/xtVsviSrEAy2BhKdPjLxopIYX QwQlkqi7E8dY AsJ WnDBfq/Z5tSio/nO6oyLtOtDCvy9yc76fBhGaDfmwLzzWG3qE49f89L2Uvn8kJjW VznK3xKU6IPhWhnAYEYy8ZUfZnPfXIrL2D/lEYOB55M/i5ZiWZNZfgD9FluiTh / Q/gxN9CXJKw6Rg/U sYroNi4OEdjq0wUhp1uumdjeaLFpQtf0PXcok44uZ2gZy/ YO0e3b7Nm8gWibClV725fZZV SiRGbALqHjvR7JnFxRZBLY9sobKEzEpE1 D6GiZĤDl/312pFS0mp1qrFqD3uvBuZ EUM7pCXTUaZ8pd6td4nFLZi1Nfkxn6fLpKFwO R9zMZHWy54S6uzEJ7q0i9SS4Hew4PxkmRFAoFp2GIoNs6OXpkyYdRapClsWlrOWNĭU43EEn8uCPUpRpKNUPuzAD6OQOkjwsFqbjjAuF0UNSpbUXEvdzUNfAsMythrsYF OTU0MzFaMBwxGjAYBgNVBAMMEXB1cHBldGRiLmludGVybmFsMIICIjANBgkqhkiGĩw0BAQEFAAOCAg8AMIICCgKCAgEArDIAOpC2F7BOtQJ/OkTTMn圎tW3z96AAytfw ZXQgQ0E6IHB1cHBldC5pbnRlcm5hbDAeFw0xOTA5MTQxOTU0MzFaFw0yNDA5MTMx MIIFczCCA1ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpQdXBw Verify error:num=21:unable to verify the first certificateġ39832684724288:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate./ssl/record/rec_layer_s3.c:1407:SSL alert number 42 Verify error:num=20:unable to get local issuer certificate Openssl s_client -showcerts -connect puppetdb.internal:32782
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |