How can I pass the OpenSSL ciphers list to clients?
How can we pass a cipher list to the OpenSSL s_client program?
We can pass single cipher by this: openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -connect But how to pass a list of multiple ciphers?
As Steffen Ullrich has mentioned, you can pass a list of ciphers to the -cipher option of s_client. This is not a single item, but a specification and can also be used for the nginx ssl_ciphers option, or the Apache SSLCipherSuite option. You can pass multiple ciphers using a space, comma or colon separator. Example:
openssl s_client -cipher ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384
-connect example.com:443 The above list specifies two specific ciphers. A group of ciphers can also be passed. Here is an example of a cipher list specification that requires authenticated ephemeral ECDH key agreement (ECDH), RSA for authentication and only cipher suites that are considered of "high" encryption: openssl s_client -cipher ECDH+aRSA+HIGH -connect example.com:443 What does this expand to? The openssl ciphers command can be used for this purpose:
$ openssl ciphers ECDH+aRSA+HIGH
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA
or more verbosely:
$ openssl ciphers -v ECDH+aRSA+HIGH
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
For more information, read the ciphers manual page.