Checking SSL ciphers

This section contains user-submitted tutorials.
Post Reply
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Checking SSL ciphers

Post by ObiWan » 2015-03-02 09:49

I suppose most if not all the hMS users are aware of the latter SSL issues and vulnerabilities; issues which, to be fixed need a reconfiguration of the SSL ciphers offered by the server; now, once the server is reconfigured as desired, one may want to check it to ensure it isn't offering vulnerable or undesired cipher suites; here's how to run such a check.

Start by configuring hMS to enable SSL/TLS on whatever port you want; in this example I'll assume you configured IMAP to also use SSL on port 993 and that your server's public IP is; now, once configured your SSL settings, just pick the attached tool. I picked the tool from the CVS here, rebuilt it and once I noticed it didn't support TLS1.1 and 1.2, slightly modified the code to support them too (in case you need the modified source it's available here, I didn't include the VS project into the zip due to attachment size limitations) .

Anyhow, assuming you have the tool ready, just fire up a command prompt and run "sslscan --no-failed" the program will then start, connect to the given IP/Port and negotiate the security suite showing the ones accepted by the server; the output will then show you the list of ciphers accepted by the server, the preferred ones and some details about the server certificate; for further informations, just run "sslcan" without parameters and you'll see the program help (or have a look at the source code).

SSLscan - scanning tool
(750.02 KiB) Downloaded 249 times

Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Checking SSL ciphers

Post by ObiWan » 2015-03-02 10:09

In case someone is curious to see what the output looks like...

Code: Select all

D:\Tools\sslscan> sslscan --no-failed
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.9.2-win32
 Copyright 2010 Ian Ventura-Whiting / Michael Boman
    Compiled against OpenSSL 1.0.1l 15 Jan 2015

Testing SSL server on port 465

  Supported Server Cipher(s):
    accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA
    accepted  TLSv1.2  256 bits  AES256-SHA
    accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA
    accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
    accepted  TLSv1.2  128 bits  AES128-SHA
    accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA
    accepted  TLSv1.2  128 bits  RC4-SHA
    accepted  TLSv1.2  128 bits  RC4-MD5
    accepted  TLSv1.2  112 bits  DES-CBC3-SHA
    accepted  TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA
    accepted  TLSv1.1  256 bits  AES256-SHA
    accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA
    accepted  TLSv1.1  128 bits  AES128-SHA
    accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA
    accepted  TLSv1.1  128 bits  RC4-SHA
    accepted  TLSv1.1  128 bits  RC4-MD5
    accepted  TLSv1.1  112 bits  DES-CBC3-SHA
    accepted  TLSv1    256 bits  ECDHE-RSA-AES256-SHA
    accepted  TLSv1    256 bits  AES256-SHA
    accepted  TLSv1    128 bits  ECDHE-RSA-AES128-SHA
    accepted  TLSv1    128 bits  AES128-SHA
    accepted  TLSv1    128 bits  ECDHE-RSA-RC4-SHA
    accepted  TLSv1    128 bits  RC4-SHA
    accepted  TLSv1    128 bits  RC4-MD5
    accepted  TLSv1    112 bits  DES-CBC3-SHA
    accepted  SSLv3    256 bits  ECDHE-RSA-AES256-SHA
    accepted  SSLv3    256 bits  AES256-SHA
    accepted  SSLv3    128 bits  ECDHE-RSA-AES128-SHA
    accepted  SSLv3    128 bits  AES128-SHA
    accepted  SSLv3    128 bits  ECDHE-RSA-RC4-SHA
    accepted  SSLv3    128 bits  RC4-SHA
    accepted  SSLv3    128 bits  RC4-MD5
    accepted  SSLv3    112 bits  DES-CBC3-SHA

  Prefered Server Cipher(s):
    SSLv3    128 bits  ECDHE-RSA-RC4-SHA
    TLSv1    128 bits  ECDHE-RSA-RC4-SHA
    TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA
    TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256

  SSL Certificate:
    Serial Number: 4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
    Not valid before: Jul 15 08:40:38 2014 GMT
    Not valid after: Apr  4 15:15:55 2015 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/
    Public Key Algorithm: rsaEncryption
    rsaEncryption Public Key: (2048 bit):
      Public-Key: (2048 bit)
      Exponent: 65537 (0x10001)

X509v3 Extended Key Usage: 
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
Authority Information Access: 
CA Issuers - URI:

X509v3 Subject Key Identifier: 
X509v3 Basic Constraints: critical
X509v3 Authority Key Identifier: 

X509v3 Certificate Policies: 

X509v3 CRL Distribution Points: 

Full Name:

Secure session renegotiations supported


Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Checking SSL ciphers

Post by ObiWan » 2020-07-20 09:26

As a note, the latest version of SSLscan which also checks for TLS1.3 is available here

not willing to build it yourself, you can pick the latest binary release here

User avatar
Senior user
Senior user
Posts: 1085
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Checking SSL ciphers

Post by RvdH » 2020-07-25 18:34

Thanks, useful ✔️
CIDR to RegEx:
DNS Lookup:
DNSBL Lookup:
GEOIP Lookup:

Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Checking SSL ciphers

Post by ObiWan » 2020-07-28 17:36

RvdH wrote:
2020-07-25 18:34
Thanks, useful ✔️
You're welcome; as for using it, here are a couple examples

sslscan --starttls-smtp

sslscan --starttls-pop3

the above two will check the "" server for supported SSL/TLS ciphers on SMTP and POP3, for further usage, just run the tool w/o any parameters and it will show a brief help

Post Reply