Blog | G5 Cyber Security

Check Cipher Suite Strength

G5 Cyber Security

TL;DR

Use nmap with its SSL/TLS scripting engine (--script ssl-enum-ciphers) to quickly identify weak or unsupported cipher suites on a target server. Alternatively, use online tools like SSL Labs Server Test for a comprehensive report.

How to Verify Weak Cipher Suites

  1. Understand Cipher Suites: A cipher suite is a set of cryptographic algorithms used to secure network communications. Older or weaker suites are vulnerable to attacks.
  2. Using nmap (Recommended): nmap is a powerful network scanner that can identify open ports and the SSL/TLS configurations on those ports.
    • Install nmap: If you don’t have it already, install nmap. On Debian/Ubuntu: 
      sudo apt update && sudo apt install nmap

      On macOS (using Homebrew):

      brew install nmap
    • Scan a target: Replace target_ip_or_hostname with the actual address of the server you want to test. 
      nmap --script ssl-enum-ciphers target_ip_or_hostname
    • Interpret the results: The output will list supported cipher suites. Look for:
      • Weak ciphers: Suites using DES, RC4, MD5, or SHA1 are generally considered weak.
      • Outdated protocols: SSLv3 and TLS 1.0/1.1 should be disabled.
      • Cipher suite order: The server prioritises suites in the order they’re presented. Stronger suites should be preferred.
  3. Using SSL Labs Server Test (Online Tool): This is a web-based tool that provides a detailed analysis of your server’s SSL/TLS configuration.
    • Go to: https://www.ssllabs.com/ssltest/
    • Enter the hostname: Type in the domain name of the server you want to test.
    • Start the scan: Click ‘Start Below’.
    • Review the report: SSL Labs provides a grade (A-F) and detailed information about supported protocols, cipher suites, key exchange algorithms, and certificate details. Pay attention to any warnings or errors.
  4. Common Weak Cipher Suites to Avoid:
    • TLS_RSA_WITH_RC4_128_SHA (and other RC4 suites)
    • SSLv3
    • TLS 1.0/1.1
    • Cipher suites using DES or MD5
  5. Remediating Weak Cipher Suites: The method for disabling weak cipher suites depends on your web server software (e.g., Apache, Nginx, IIS).
    • Apache: Modify the SSLCipherSuite directive in your Apache configuration file (usually httpd.conf or ssl.conf).
    • Nginx: Adjust the ssl_ciphers directive in your Nginx configuration file (usually nginx.conf).
    • IIS: Use the IIS Manager to configure SSL/TLS settings and disable outdated protocols and weak cipher suites.
Exit mobile version