Remote SSL Server cipher check script with openssl - 20150126
This script is to be used for the check that I wrote in this article. There is a similar script with curl which I wrote before in this article, but it is better if I can get a CA certificates that signs a target server certificate.
#!/bin/bash if [ $# -ne 4 ];then echo "Usage $0 DestServer DestPort URI CAfile" exit 1; fi OK_COUNT=1; NG_COUNT=1; SUPPORTED_CIPHERS="supported-ciphers.txt"; DEST_IP=$1; DEST_PORT=$2; URI=$3; CA_FILE=$4; if [ -e $SUPPORTED_CIPHERS ];then rm $SUPPORTED_CIPHERS; fi ciphers=`openssl ciphers -v | awk '{print $1}'` > /dev/null; for i in $ciphers do printf "GET $URI HTTP/1.1\r\nHost: $DEST_IP\r\nConnection: close\r\n\r\n" | openssl s_client -CAfile $CA_FILE -cipher $i -host $DEST_IP -port $DEST_PORT; if [ $? = "0" ];then echo "$OK_COUNT: $i is supported on this server." >> $SUPPORTED_CIPHERS; OK_COUNT=`expr $OK_COUNT + 1`; else echo "$NG_COUNT: $i is NOT supported on this server."; NG_COUNT=`expr $NG_COUNT + 1`; fi done
If I could get a CA certificate, the reasons why SSL handshake failure should be below.
- server certificates are revoked
- certificates are already expired
- no supported cipher
What I would like to try now is generating server certificates and private key which can be used with a specific cipher suite. Then, I will generate server certificates and private key and test them right after a certificate and private key pair is prepared, so there is no case in my test that certificates are already expired and revoked. I believe this script helps me to do what I would like to do now.