How To Know What Cipher Suites Are Supported By My HTTP Listener In Mule

GOAL

Identify Supported Cipher Suites after configuring keystore in Mule HTTP Listener. Understand what cipher suites are supported is critical when configuring Load Balancer and ensure non-weak cipher suites used.

PROCEDURE

* The procedure is suitable when endpoint can be accessed directly without going through Load Balancer or Proxy

1. Run application in Mule Runtime
2. Issue following command * available in MacOS and Linux by default. Needs to be installed into Windows 

   nmap --script +ssl-enum-ciphers -p {Port} {Host}

   * it is recommended to run application in local as the command is intrusive and will cause extra network noise
3. Diagnose Result. The result list supported TLS versions and cipher suites. * Supported cipher suites are dynamically determined by supplied keystore and TLS configuration 

   Nmap scan report for {Host} ({IP Address})
   Host is up (0.0078s latency).
   rDNS record for {IP Address}: {DNS Server Host}
   
   PORT    STATE SERVICE
   443/tcp open  https
   | ssl-enum-ciphers: 
   |   TLSv1.0: 
   |     ciphers: 
   |       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
   |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
   |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
   |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
   |     compressors: 
   |       NULL
   |     cipher preference: server
   |     warnings: 
   |       64-bit block cipher 3DES vulnerable to SWEET32 attack
   |   TLSv1.1: 
   |     ciphers: 
   |       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
   |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
   |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
   |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
   |     compressors: 
   |       NULL
   |     cipher preference: server
   |     warnings: 
   |       64-bit block cipher 3DES vulnerable to SWEET32 attack
   |   TLSv1.2: 
   |     ciphers: 
   |       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
   |       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
   |       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
   |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
   |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
   |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
   |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
   |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
   |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
   |     compressors: 
   |       NULL
   |     cipher preference: client
   |     warnings: 
   |       64-bit block cipher 3DES vulnerable to SWEET32 attack
   |_  least strength: C
   
   Nmap done: 1 IP address (1 host up) scanned in 2.99 seconds