Posted over 6 years ago. Visible to the public.

Test whether Perfect Forward Secrecy (PFS) is enabled on a server (using OpenSSL)

Use the following command to test if a server (in this example: makandra.com on port 443) uses Perfect Forward Secrecy (PFS):

Copy
openssl s_client -connect makandra.com:443 -cipher ECDHE-RSA-RC4-SHA

You should see something like the following:

Copy
~ > openssl s_client -connect projecthero.com:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/OU=Domain Control Validated/CN=www.projecthero.com i:/O=AlphaSSL/CN=AlphaSSL CA - G2 ...

Note that OpenSSL keeps the connection open if PFS is supported.

In case the server does not support PFS, it looks like this:

Copy
~ > openssl s_client -connect localhost:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) 140293946562208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 127 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---

... and OpenSSL exits.

Growing Rails Applications in Practice
Check out our new e-book:
Learn to structure large Ruby on Rails codebases with the tools you already know and love.

Owner of this card:

Avatar
Thomas Eisenbarth
Last edit:
over 6 years ago
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Thomas Eisenbarth to makandra dev
This website uses short-lived cookies to improve usability.
Accept or learn more