My understanding is that during ssl negotiation, the client (i.e. curl) sends a list of ciphers to the server, and the server replies with its preferred choice.
How do I see the list of ciphers that curl is sending?
Asked
Active
Viewed 2.5k times
3 Answers
25
There is a website that offers curl cipher request detection as a service:
curl https://www.howsmyssl.com/a/check
However, it does not accept all ciphers - if one of the ciphers they accept is not on the list that your curl is sending, then you will not be able to get a response at all.
3
You can use Wireshark. For example, if you set a packet filter of "tcp port 443" and then set the display filter to "ssl", you'll get output like this:
You can see that the "Client Hello" packet shows cipher suites like TLS_AES_128_GCM_SHA256.
Matthias Braun
- 7,797
- 7
- 45
- 54
Daniel Walker
- 635
- 1
- 7
- 29
0
This answer [1] is a good start, but it glosses over how to actually create a self-signed certificate, and the answer doesnt work without that part. Further, the article [2] they link to with instruction on how to create a self-signed certificate is using OpenSSL, which is good for some purposes, but maybe not ideal for creating a self-signed certificate, as it makes the process harder than it needs to be. To that end, I found another tool [3], thats much simpler:
generate_cert -host localhost
Its just a single file written in Go, with no external dependencies. After you run the above command, you can then use OpenSSL or similar to start a server:
openssl s_server -msg -accept 8080 -cert cert.pem -key key.pem
Then make a request like this:
curl -k https://localhost:8080
Zombo
- 1
- 5
- 43
- 62
-
Generating a self-signed cert is as "easy" as `openssl req -x509 -subj /CN=example.com -nodes -out cert.pem -keyout key.pem`. For some reason the linked answer was deleted, but is at https://web.archive.org/web/20220518165811/https://unix.stackexchange.com/questions/208412/how-to-see-list-of-curl-ciphers#answer-667824 – mwfearnley Jul 03 '23 at 16:37