With the latest security changes regarding TLS version, most of you might be wondering if the ciphers you’re using are valid.
There is a simple command to check that.
Check Ciphers
Run the following command on your local environment, not on the server you want to check
1 |
nmap --script ssl-enum-ciphers -p 443 xxx.xxx.xxx.xxx |
Replace xxx.xxx.xxx.xxx
with the IP address of the server that you want to check.
The output should be something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 4096) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 4096) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 4096) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 4096) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 4096) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A |