Posted about 8 years ago. Visible to the public.

Test whether Perfect Forward Secrecy (PFS) is enabled on a server (using OpenSSL)

Use the following command to test if a server (in this example: on port 443) uses Perfect Forward Secrecy (PFS):

openssl s_client -connect -cipher ECDHE-RSA-RC4-SHA

You should see something like the following:

~ > openssl s_client -connect -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/OU=Domain Control Validated/ i:/O=AlphaSSL/CN=AlphaSSL CA - G2 ...

Note that OpenSSL keeps the connection open if PFS is supported.

In case the server does not support PFS, it looks like this:

~ > openssl s_client -connect localhost:443 -cipher ECDHE-RSA-RC4-SHA CONNECTED(00000003) 140293946562208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 127 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---

... and OpenSSL exits.

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for unsupported versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2).

Owner of this card:

Thomas Eisenbarth
Last edit:
about 8 years ago
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Thomas Eisenbarth to makandra dev
This website uses short-lived cookies to improve usability.
Accept or learn more