TLS Cipher Walking

5 min readMar 10

Image by PublicDomainPictures from Pixabay

I need to validate if the TLS cipher exposed by the application is secure. I therefore created two versions of the scanner, one is sequential Openssl based, the other one is parallel version implemented with Golang.

Sequential Version with Openssl

This webpage provides a nice base to use openssl s_client to walk through the ciphers. Just need to update it for the new syntax for TLS1.3. The script to walk through the TLS ciphers are shown below,

#!/usr/bin/env bash
tls1=$(openssl ciphers -tls1 | sed -e 's/:/ /g')
tls11=$(openssl ciphers -tls1_1 | sed -e 's/:/ /g')
tls12=$(openssl ciphers -tls1_2 | sed -e 's/:/ /g')
tls13=$(openssl ciphers -tls1_3 | sed -e 's/:/ /g')

for cipher in ${tls1}
do
result=$(echo -n | openssl s_client -tls1 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  echo "TLS1: ${cipher}"
fi
done

for cipher in ${tls11}
do
result=$(echo -n | openssl s_client -tls1_1 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  echo "TLS1.1: ${cipher}"
fi
done


for cipher in ${tls12}
do
result=$(echo -n | openssl s_client -tls1_2 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  echo "TLS1.2: ${cipher}"
fi
done

for cipher in ${tls13}
do
result=$(echo -n | openssl s_client -tls1_3 -ciphersuites "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  echo "TLS1.3: ${cipher}"
fi
done

Test against google.com as below,

$ ./tls-cipher-walk.sh google.com:443
TLS1: AES256-SHA
TLS1: AES128-SHA
TLS1.1: AES256-SHA
TLS1.1: AES128-SHA
TLS1.2: ECDHE-ECDSA-AES256-GCM-SHA384
TLS1.2: ECDHE-RSA-AES256-GCM-SHA384
TLS1.2: ECDHE-ECDSA-CHACHA20-POLY1305
TLS1.2: ECDHE-RSA-CHACHA20-POLY1305
TLS1.2: ECDHE-ECDSA-AES128-GCM-SHA256
TLS1.2: ECDHE-RSA-AES128-GCM-SHA256
TLS1.2: ECDHE-ECDSA-AES256-SHA
TLS1.2: ECDHE-RSA-AES256-SHA
TLS1.2: ECDHE-ECDSA-AES128-SHA
TLS1.2: ECDHE-RSA-AES128-SHA
TLS1.2: AES256-GCM-SHA384
TLS1.2: AES128-GCM-SHA256
TLS1.2: AES256-SHA
TLS1.2: AES128-SHA
TLS1.3: TLS_AES_256_GCM_SHA384
TLS1.3: TLS_CHACHA20_POLY1305_SHA256
TLS1.3: TLS_AES_128_GCM_SHA256

But soon, you realise the script is slow as each of the cipher is checked in a sequential way.

TLS Cipher Walking

Sequential Version with Openssl

Parallel Walk with Golang

Written by Zhimin Wen

More from Zhimin Wen

Exploring Llama2 on CPU only VM

Since Meta released the open source large language model Llama2, thanks to the effort of the community, the barrier to access a LLM to…

Persistent Volume Claim for StatefulSet

Sometimes, we need the configuration to persist so that when the pod restarts the same configuration can be applied. We typically request a…

Custom Prometheus Metrics for Apps Running in Kubernetes

Kubernetes solves the application availability management problem through the liveness and readiness probes. Now, how about application…

Setup Local DNS Server on Macbook

When testing cloud technologies, frequently we are required to point to some DNS entries or even some wildcard DNS names. We commonly see…

Recommended from Medium

Unleashing the Power of OpenShift: Industry Use Cases and How It Works

OpenShift, a Kubernetes-based container platform developed by Red Hat, has gained immense popularity in recent years for its ability to…

HTB: TrueSecrets

Hack The Box(Forensics Challenge)

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101

RedLine CTF Writeup

Hello dudes, I hope to find you well.

10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail run. I’m wearing my stay-at-home mom…

About Deployment in Kubernetes

In this blog we will discuss about one of the most high-level object in kubernetes that is Deployment object.

Race Condition

Race conditions occur when two computer program processes, or threads, attempt to access the same resource at the same time and cause…