Check cipher suites

Owned by Tamás Utasi
Last updated: Nov 27, 2024 by Andy Clowe
3 min read

Following instruction on this page you can test if your client has support for a necessary cipher suite required by our servers.

On the host that runs your service run the next command:

curl -o /dev/null -s -vvv https://my.patientsknowbest.com

Above command will try to fetch content from my.patientsknowbest.com.

Context

A cipher suite is a fixed set of algorithms used together to establish a secure network connection to transmit data between to hosts. Cipher suite names are derived from the algorithms used.

These algorithms are:

  • Key Exchange Algorithms (e.g.: RSA, DH, ECDH, …)

  • Authentication/Digital Signature Algorithm (e.g.: RSA, ECDSA, …)

  • Bulk Encryption Algorithms (e.g.: AES, CHACHA20, …)

  • Message Authentication Code Algorithms (e.g.: SHA-256, POLY1305)

A cipher suite might be supported by by differetn TLS versions.

Both server and client has a set of supported cipher suites which must overlap.

Expected success output

* Trying 35.246.122.93:443... ... * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 ... * Connection #0 to host my.patientsknowbest.com left intact

SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 indicates that the host OS supports TLS_AES_256_GCM_SHA384TLSv1.3 which is one cipher suite that our servers also support.

Expected failure output

* Trying 35.246.122.93:443... * Connected to my.patientsknowbest.com (35.246.122.93) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ECDHE-RSA-AES256-SHA384 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [181 bytes data] * TLSv1.2 (IN), TLS header, Unknown (21): { [5 bytes data] * TLSv1.2 (IN), TLS alert, handshake failure (552): { [2 bytes data] * error:0A000410:SSL routines::sslv3 alert handshake failure * Closing connection 0

Trouble shooting

Trouble shooting consists of two steps:

  1. You need to learn what cipher suites your software supports (see steps below).

  2. Compare that with cipher suites our servers support

    1. Consult our PKB API Network Connectivity page or

    2. Run a live scan on SSLLabs.

Outcomes can be:

  1. You need to modernize client so it has support for secure and performant ciphers or

  2. We need to modernize our server so it supports secure and performant ciphers.

What ciphers my OS supports?

Linux

Here is an example of a TLS v1.2 cipher suite from Openssl command 'openssl ciphers -v' output:

Windows

View and Modify the Windows Registry Settings for the TLS Cipher Suites:

Unset or 0xffffffff DWORD value means the given cipher suite is enabled, 0x0 means it’s disabled.