Read more

Test whether Perfect Forward Secrecy (PFS) is enabled on a server (using OpenSSL)

Thomas Eisenbarth
April 09, 2014Software engineer at makandra GmbH
Say thanks4

Use the following command to test if a server (in this example: makandra.com on port 443) uses Perfect Forward Secrecy (PFS):

openssl s_client -connect makandra.com:443 -cipher ECDHE-RSA-RC4-SHA
Illustration web development

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

  • We build reliable cloud solutions with Infrastructure as code
  • We are experts in security, Linux and databases
  • We support your dev team to perform
Read more Show archive.org snapshot

You should see something like the following:

~ > openssl s_client -connect projecthero.com:443 -cipher ECDHE-RSA-RC4-SHA
CONNECTED(00000003)
depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/OU=Domain Control Validated/CN=www.projecthero.com
   i:/O=AlphaSSL/CN=AlphaSSL CA - G2
...

Note that OpenSSL keeps the connection open if PFS is supported.

In case the server does not support PFS, it looks like this:

~ > openssl s_client -connect localhost:443 -cipher ECDHE-RSA-RC4-SHA
CONNECTED(00000003)
140293946562208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 127 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

... and OpenSSL exits.

License for source code
Posted by Thomas Eisenbarth to makandra dev (2014-04-09 13:42)
This website uses short-lived cookies to improve usability.
or learn more