Posted almost 6 years ago. Visible to the public.

Test whether Perfect Forward Secrecy (PFS) is enabled on a server (using OpenSSL)

Use the following command to test if a server (in this example: makandra.com on port 443) uses Perfect Forward Secrecy (PFS):

Copy
openssl s_client -connect makandra.com:443 -cipher ECDHE-RSA-RC4-SHA

You should see something like the following:

Copy
~ > openssl s_client -connect projecthero.com:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/OU=Domain Control Validated/CN=www.projecthero.com i:/O=AlphaSSL/CN=AlphaSSL CA - G2 ...

Note that OpenSSL keeps the connection open if PFS is supported.

In case the server does not support PFS, it looks like this:

Copy
~ > openssl s_client -connect localhost:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) 140293946562208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 127 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---

… and OpenSSL exits.

Growing Rails Applications in Practice
Check out our new e-book:
Learn to structure large Ruby on Rails codebases with the tools you already know and love.

Owner of this card:

Avatar
Thomas Eisenbarth
Last edit:
almost 6 years ago
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Thomas Eisenbarth to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more