List all options a server supports

Question

Is it possible to list all Openssl ciphers a server supports?

Answer 1

It is not possible to ask a TLS server about all the supported ciphers. All one can do is to probe the server for a specific cipher and observe if it reports that the server will support this cipher or not. With openssl command line this would mean to use openssl s_client -no_tls1_3 -cipher ... for probing TLS 1.2 and lower ciphers and openssl s_client -tls1_3 -ciphersuites ... for TLS 1.3 ciphers.

Example for a successful handshake:

$ openssl s_client -no_tls1_3 -cipher AES128-GCM-SHA256 -connect google.com:443
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256

And for a failed handshake:

$ openssl s_client -no_tls1_3 -cipher AES128-SHA256 -connect google.com:443
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000

There are several limits to this approach though:

• One can only probe ciphers supported by the version of openssl in use, see openssl ciphers -V
• Some server might limit specific ciphers to specific TLS protocol versions, like weaker ciphers only with TLS 1.0. So one also has to iterate over the various TLS protocol versions when probing
• Some server limit ciphers only when specific ECC curves are announced as supported by the client
• Some servers have different configurations for different domains on the same IP address

Thus, for the successful tests one can be sure that the cipher is supported. For unsuccessful tests one cannot be fully sure that the cipher is not supported since it might only be supported in a specific context. For ciphers not tested one has no idea if these are supported or not.