Test whether Perfect Forward Secrecy (PFS) is enabled on a server (using OpenSSL)

Use the following command to test if a server (in this example: makandra.com on port 443) uses Perfect Forward Secrecy (PFS):

openssl s_client -connect makandra.com:443 -cipher ECDHE-RSA-RC4-SHA

You should see something like the following:

~ > openssl s_client -connect projecthero.com:443 -cipher ECDHE-RSA-RC4-SHA
CONNECTED(00000003)
depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/OU=Domain Control Validated/CN=www.projecthero.com
   i:/O=AlphaSSL/CN=AlphaSSL CA - G2
...

Note that OpenSSL keeps the connection open if PFS is supported.

In case the server does not support PFS, it looks like this:

~ > openssl s_client -connect localhost:443 -cipher ECDHE-RSA-RC4-SHA
CONNECTED(00000003)
140293946562208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 127 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

... and OpenSSL exits.

Thomas Eisenbarth Almost 10 years ago