A vulnerability scanner may identify that the target website supports weak or Null strength ciphers.
| Vulnerability Scanner | Scanner check Information |
| Nessus | Nessus Plugin 10863 “SSL ciphers” Nessus Plugin 21643 “Supported SSL Ciphers Suites” may report “The remote service supports the use of weak SSL ciphers” and “Solution : Reconfigure the affected application if possible to avoid use of weak ciphers”
|
OpenSSL can be used to perform manual tests to confirm what sorts of cipher strengths a website is configured to support. In the examples below, I have only used a few of the cipher categories available to demonstrate the differences in the responses received.
Testing connections with Null ciphers
When the Null cipher suite is used, there is no encryption taking place, i.e. the messages are being sent in plain text.
The examples below show how neither google.com nor the natwest.com site support Null ciphers
| $> openssl s_client -connect www.google.com:443 -cipher NULL CONNECTED(00000003) 3716:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: $> |
| $> openssl s_client -connect www.natwest.com:443 -cipher NULL CONNECTED(00000003) 4088:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: $> |
Testing support of LOW encryption (up to 64 bit) ciphers
These examples show that google.com does support weak ciphers, but natwest.com does not.
| $> openssl s_client -connect www.google.com:443 -cipher LOW CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- [..snip..] |
| $> openssl s_client -connect www.natwest.com:443 -cipher LOW CONNECTED(00000003) 1412:error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned:s3_clnt.c:728: $> |
Testing support of MEDIUM encryption (128 bit) ciphers
Here you can see that both sites support medium strength ciphers.
| $> openssl s_client -connect www.google.com:443 -cipher LOW CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- [..snip..] |
| $> openssl s_client -connect www.natwest.com:443 -cipher MEDIUM CONNECTED(00000003) depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CP S Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=GB/ST=Lothian/L=Edinburgh/O=Royal Bank of Scotland Group/OU=E-Services/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=www.natwest.com i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- [..snip..] |
Testing support of HIGH encryption (greater than 128 bit) ciphers
Obviously both these sites support encryption ciphers of greater than 128 bits in strength.
| $> openssl s_client -connect www.google.com:443 -cipher HIGH CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com [..snip..] |
| $> openssl s_client -connect www.natwest.com:443 -cipher HIGH CONNECTED(00000003) depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CP S Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=GB/ST=Lothian/L=Edinburgh/O=Royal Bank of Scotland Group/OU=E-Services/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=www.natwest.com [..snip..] |
For further information, you may want to refer to the OpenSSL ciphers manual page:
Hi stephen,
ReplyDeleteWhen I am trying to connect my AD using openssl connect command I am getting the following error. What will be the cause?
premod@premod-ltp:~$ openssl s_client -connect yamuna:636
CONNECTED(00000003)
10426:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Thanks,
#!Premod
I have the same problem , please help me
ReplyDeleteThere must be something misconfigured on the server end, I would guess. Could you have enabled something like requiring client authentication? Or be advertising support for ciphers that are not properly implemented on the server? Do you get the same message if you add the different "-cipher" tests like described in the blog above?
DeleteI try to use "-cipher NULL - LOW - MEDIUM - HIGH" but i still have a problem and the same message appears
ReplyDeleteYes! Finally something about %keyword1%.
ReplyDeleteIf you are going for best contents like I do, simply pay a visit this site daily because it offers feature contents, thanks
ReplyDelete