参考
mod_ssl の SSLCipherSuite値指定 - Qiita
HTTPS調べるときに便利なOpenSSLの使い方 <s_client編> - AWS / PHP / Python ちょいメモ
openssl s_client コマンドでウェブサーバーの SSL/TLS 対応状況を診断する – ラボラジアン
openssl コマンドで SSL/TLS バージョンを指定した HTTPS 接続テストを実施する - らくがきちょう
メモ
SSLCipherSuiteのHIGHとかって何を意味するの?
man ciphersで確認 ※以下は抜粋
CIPHER STRINGS
The following is a list of all permitted cipher strings and their meanings.
DEFAULT
the default cipher list. This is determined at compile time and, as of OpenSSL 1.0.0, is normally ALL:!aNULL:!eNULL. This must be the first
cipher string specified.
COMPLEMENTOFDEFAULT
the ciphers included in ALL, but not enabled by default. Currently this is ADH and AECDH. Note that this rule does not cover eNULL, which is
not included by ALL (use COMPLEMENTOFALL if necessary).
ALL all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by
default
COMPLEMENTOFALL
the cipher suites not enabled by ALL, currently being eNULL.
HIGH
"high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
MEDIUM
"medium" encryption cipher suites, currently some of those using 128 bit encryption.
LOW "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.
EXP, EXPORT
export encryption algorithms. Including 40 and 56 bits algorithms.
EXPORT40
40 bit export encryption algorithms
EXPORT56
56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of 56 bit export ciphers is empty unless OpenSSL has been
explicitly configured with support for experimental ciphers.
eNULL, NULL
the "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled
unless explicitly included.
aNULL
the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher
suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
以下コマンドでも確認可能
# openssl ciphers -v 'aNULL' AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256 ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256 ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 ADH-SEED-SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1 ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
以下コマンドでも確認可能
#!/bin/bash
openssl ciphers -v 'ALL'| while read line
do
C=$(echo $line | awk '{print $1}')
V=$(echo $line | awk '{print $2}')
echo "" | openssl s_client -connect 127.0.0.1:443 -tls1 -cipher $C 2>&1 | egrep "Secure Renegotiation|Protocol *:|Cipher *:" | tr "\n" "# "
echo ""
echo "" | openssl s_client -connect 127.0.0.1:443 -tls1_1 -cipher $C 2>&1 | egrep "Secure Renegotiation|Protocol *:|Cipher *:" | tr "\n" "# "
echo ""
echo "" | openssl s_client -connect 127.0.0.1:443 -tls1_2 -cipher $C 2>&1 | egrep "Secure Renegotiation|Protocol *:|Cipher *:" | tr "\n" "# "
echo ""
done
