Test whether Perfect Forward Secrecy (PFS) is enabled on a server (using OpenSSL)
Use the following command to test if a server (in this example: makandra.com on port 443) uses Perfect Forward Secrecy (PFS):
Copyopenssl s_client -connect makandra.com:443 -cipher ECDHE-RSA-RC4-SHA
You should see something like the following:
Copy~ > openssl s_client -connect projecthero.com:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/OU=Domain Control Validated/CN=www.projecthero.com i:/O=AlphaSSL/CN=AlphaSSL CA - G2 ...
Note that OpenSSL keeps the connection open if PFS is supported.
In case the server does not support PFS, it looks like this:
Copy~ > openssl s_client -connect localhost:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) 140293946562208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 127 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
... and OpenSSL exits.