$ openssl s_client -host HOST -port PORT-- output... .oO( a lot of debug-out

1. $ openssl s_client -host HOST -port PORT
2.  
3. -- output
4.  
5. ... .oO( a lot of debug-outout )Oo. ...
6.  
7.  
8. New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
9. Server public key is 4096 bit
10. Secure Renegotiation IS supported
11. Compression: NONE
12. Expansion: NONE
13. SSL-Session:
14. Protocol : TLSv1.2
15. Cipher : ECDHE-RSA-AES128-GCM-SHA256
16.  
17. -- output
18.  
19.  
20. ########################################################
21. testssl.sh v2.0pre (http://software.drwetter.eu/ssl/)
22.  
23. Testing now (2014-02-24 22:40) ---> blah.org:443 <---
24. ("blah.org" resolves to "12.34.56.78")
25.  
26.  
27. --> Testing specific vulnerabilities
28.  
29. Renegotiation Vulnerability (CVE 2009-3555): **NOT vulnerable (ok)**
30. CRIME Vulnerability (CVE-2012-4929): **NOT vulnerable (ok)
31.  
32. --> Testing HTTP Header settings
33.  
34. HSTS: **365 days (31536000 s)
35. Server banner: nginux
36.  
37. --> Testing (Perfect) Forward Secrecy (P)FS)
38. PFS seems generally available. Now testing specific ciphers
39.  
40. ECDHE-RSA-AES256-GCM-SHA384 [0xc030]: **works**
41. ECDHE-RSA-AES128-GCM-SHA256 [0xc02f]: **works**
42. ECDHE-RSA-AES128-SHA256 [0xc027]: **works**
43. ECDHE-RSA-RC4-SHA [0xc011]: **works**
44. DHE-RSA-AES256-GCM-SHA384 [0x9f]: **works**
45. DHE-RSA-AES256-SHA256 [0x6b]: **works**
46. DHE-RSA-AES256-SHA [0x39]: **works**
47. DHE-RSA-CAMELLIA256-SHA [0x88]: **works**
48. DHE-RSA-AES128-GCM-SHA256 [0x9e]: **works**
49. DHE-RSA-AES128-SHA256 [0x67]: **works**
50. DHE-RSA-AES128-SHA [0x33]: **works**
51. DHE-RSA-CAMELLIA128-SHA [0x45]: **works**
52. ECDHE-RSA-AES256-SHA384 [0xc028]: **works**
53. ECDHE-RSA-AES256-SHA [0xc014]: **works**
54. ECDHE-RSA-AES128-SHA [0xc013]: **works**
55. (A **"green" cipher doesn't mean any browser will be able to use it)
56.  
57. --> Checking RC4 Ciphers
58.  
59. ECDHE-RSA-RC4-SHA [0xc011] (Kx=ECDH, Mac=SHA1): **available **
60. RC4-SHA [0x05] (Kx=RSA, Mac=SHA1): **available **
61. **
62. RC4 is kind of broken (for e.g. IE6 consider 0xa or 0x13)
63.  
64. --> Testing Protocols
65.  
66. SSLv2: **Local problem: /usr/bin/openssl doesn't support "s_client -ssl2"**
67. SSLv3: **NOT offered (ok)**
68. TLSv1: **offered (ok)**
69. TLSv1.1: **offered (ok)**
70. TLSv1.2: **offered (ok)**
71.  
72. SPDY: Following protocols advertised:** spdy/2, http/1.1**
73.  
74. --> Testing cipher suites
75.  
76. Null Cipher: **NOT offered (ok)**
77. Anonymous NULL Cipher : **NOT offered (ok)**
78. 40 Bit encryption: **NOT offered (ok)**
79. 56 Bit encryption: **Local problem: No 56 Bit encryption configured in /usr/bin/openssl**
80. Export Cipher (general): **NOT offered (ok)**
81. Low (<=64 Bit): **NOT offered (ok)**
82. Medium grade encryption: offered
83. High grade encryption: **offered (ok)**
84.  
85. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
86. ssl_sock = ssl.wrap_socket(s,cert_reqs=ssl.CERT_REQUIRED,ca_certs='/etc/ssl/certs/ca-certificates.crt')
87. ssl_sock.connect((target, port))
88. print repr(ssl_sock.getpeername())
89. print ssl_sock.cipher()
90.  
91. -- output
92. > ssl-info
93. ('12.34.56.78', 443)
94. ('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1', 128)
95.  
96. nmap -Pn -p 443 --script=ssl-enum-ciphers %hostname or ip%