TLS Cipher Walking
5 min readMar 10, 2023
I need to validate if the TLS cipher exposed by the application is secure. I therefore created two versions of the scanner, one is sequential Openssl based, the other one is parallel version implemented with Golang.
Sequential Version with Openssl
This webpage provides a nice base to use openssl s_client
to walk through the ciphers. Just need to update it for the new syntax for TLS1.3. The script to walk through the TLS ciphers are shown below,
#!/usr/bin/env bash
tls1=$(openssl ciphers -tls1 | sed -e 's/:/ /g')
tls11=$(openssl ciphers -tls1_1 | sed -e 's/:/ /g')
tls12=$(openssl ciphers -tls1_2 | sed -e 's/:/ /g')
tls13=$(openssl ciphers -tls1_3 | sed -e 's/:/ /g')
for cipher in ${tls1}
do
result=$(echo -n | openssl s_client -tls1 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
echo "TLS1: ${cipher}"
fi
done
for cipher in ${tls11}
do
result=$(echo -n | openssl s_client -tls1_1 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
echo "TLS1.1: ${cipher}"
fi
done
for cipher in ${tls12}
do
result=$(echo -n | openssl s_client -tls1_2 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
echo "TLS1.2: ${cipher}"
fi
done
for cipher in ${tls13}
do
result=$(echo -n | openssl s_client -tls1_3 -ciphersuites "$cipher" -connect $1 2>&1)…