Loading

How to Scan Ciphers & Algorithms Supported by a TLS/SSL Endpoint

Data pubblicazione: Jul 28, 2025
Fasi

QUESTION

Original Description

 I just need to know which ones (ciphers) are currently used by the on-premise Anypoint RTF to talk to the cloud so I know if I need to get an exemption or not

Explained

In some scenarios, there are compliances requiring a specific enhanced TLS/SSL cipher set for out facing communication. For example, the NZISM (New Zealand Information Security Manual, https://www.nzism.gcsb.govt.nz/ism-document). We need to know the ciphers supported on a TLS/SSL endpoint. 

ANSWER

We can scan the ciphers with nmap. The command is 
> nmap -sV --script ssl-enum-ciphers -p <port number> <hostname/IP>
Similarly, the following command can be used to scan the Algorithms. 
> nmap -sV --script ssh2-enum-algos -p <port number> <hostname/IP>


Below is the return from ssl-enum-ciphers which will fetch the cipher suites configuration for the TLS/SSL on the target port. For example 
> nmap -sV --script ssl-enum-ciphers -p 443 transport-layer.prod.cloudhub.io
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 12:20 AEDT
Nmap scan report for transport-layer.prod.cloudhub.io (34.206.252.3)
Host is up (0.34s latency).
Other addresses for transport-layer.prod.cloudhub.io (not scanned): 52.0.44.181 34.233.101.109
rDNS record for 34.206.252.3: ec2-34-206-252-3.compute-1.amazonaws.com

PORT STATE SERVICE VERSION
443/tcp open ssl/https?
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A


An alternative method to do this can be found How to Get All Ciphers Supported From An Endpoint

Numero articolo Knowledge

001115821

 
Caricamento
Salesforce Help | Article