Hi,
you want to know which security ciphers a particular server supports?
nmap is a universal scanner for discovering networks. It has a scripting engine with a lot of security related modules. The ssl-enum-ciphers is one of them.
To all ciphers use
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | [root@debdev ~]# nmap --script ssl-enum-ciphers -p 443 myHost.myDomain.orgStarting Nmap 7.70 ( https://nmap.org ) at 2020-10-07 08:23 CESTNmap scan report for myHost.myDomain.org (10.10.254.34)Host is up (0.0013s latency).PORT STATE SERVICE443/tcp open https| ssl-enum-ciphers:| TLSv1.0:| ciphers:| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| Key exchange (dh 1024) of lower strength than certificate key| TLSv1.1:| ciphers:| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| Key exchange (dh 1024) of lower strength than certificate key| TLSv1.2:| ciphers:| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| Key exchange (dh 1024) of lower strength than certificate key|_ least strength: DMAC Address: 00:52:42:86:60:3F |
The character (A, B..) at the the end of the cipher is a rating of the ciphers strength. A is the best.
Or with some detailed output
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | [root@debdev ~]# nmap -sV --script ssl-enum-ciphers -p 443 myHost.myDomain.orgStarting Nmap 7.70 ( https://nmap.org ) at 2020-10-07 08:23 CESTNmap scan report for myHost.myDomain.org (10.10.254.34)Host is up (0.0013s latency).PORT STATE SERVICE VERSION443/tcp open ssl/http nginx 1.18.3|_http-server-header: nginx/1.18.3| ssl-enum-ciphers:| TLSv1.0:| ciphers:| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| Key exchange (dh 1024) of lower strength than certificate key| TLSv1.1:| ciphers:| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| Key exchange (dh 1024) of lower strength than certificate key| TLSv1.2:| ciphers:| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| Key exchange (dh 1024) of lower strength than certificate key|_ least strength: DMAC Address: 00:52:42:86:60:3F |
Michael