This script is to be used for the check that I wrote in this article. There is a similar script with curl which I wrote before in this article, but it is better if I can get a CA certificates that signs a target server certificate.

#!/bin/bash
if [ $# -ne 4 ];then
    echo "Usage $0 DestServer DestPort URI CAfile"
    exit 1;
fi
OK_COUNT=1;
NG_COUNT=1;
SUPPORTED_CIPHERS="supported-ciphers.txt";
DEST_IP=$1;
DEST_PORT=$2;
URI=$3;
CA_FILE=$4;

if [ -e $SUPPORTED_CIPHERS ];then
    rm $SUPPORTED_CIPHERS;
fi
ciphers=`openssl ciphers -v | awk '{print $1}'` > /dev/null;
for i in $ciphers
do
    printf "GET $URI HTTP/1.1\r\nHost: $DEST_IP\r\nConnection: close\r\n\r\n" | openssl s_client -CAfile $CA_FILE -cipher $i -host $DEST_IP -port $DEST_PORT;
    if [ $? = "0" ];then
	echo "$OK_COUNT: $i is supported on this server." >> $SUPPORTED_CIPHERS;
	OK_COUNT=`expr $OK_COUNT + 1`;
    else
	echo "$NG_COUNT: $i is NOT supported on this server.";
	NG_COUNT=`expr $NG_COUNT + 1`;
    fi
done

If I could get a CA certificate, the reasons why SSL handshake failure should be below.

• server certificates are revoked
• certificates are already expired
• no supported cipher

What I would like to try now is generating server certificates and private key which can be used with a specific cipher suite. Then, I will generate server certificates and private key and test them right after a certificate and private key pair is prepared, so there is no case in my test that certificates are already expired and revoked. I believe this script helps me to do what I would like to do now.