In order to identify the cipher suites negotiated by the remote web server, you can use the OpenSSL command-line tool that comes preinstalled on all major Linux distributions, and it is also included in Kali Linux. The tool can be used to test the various functions of the OpenSSL library directly from the bash shell without writing any code. It is also used as a troubleshooting tool.

The following example uses the s_client command-line option that establishes a connection to the remote server using SSL/TLS. The output of the command is difficult to interpret for a newbie, but it is useful for identifying the TLS/SSL version and cipher suites agreed upon between the server and the client:

The OpenSSL utility contains various command-line options that can be used to test the server using specific SSL versions and cipher suites. In the following example, we are trying to connect using TLS version 1.2 and a weak algorithm, RC4:

openssl s_client -tls1_2 -cipher 'ECDHE-RSA-AES256-SHA' -connect <target>:<port>  

The following screenshot shows the output of the command. Since the client could not negotiate with the ECDHE-RSA-AES256-SHA cipher suite, the handshake failed and no cipher was selected:

In the following screenshot, we are trying to negotiate a weak encryption algorithm with the server. It fails, as Google has rightly disabled the weak cipher suites on the server:

To find out the cipher suites that are easily breakable using the computing power available today, enter the command shown in the following screenshot:

You will often see cipher suites written as ECDHE-RSA-RC4-MD5. The format is broken down into the following parts:

• ECDHE: This is a key exchange algorithm
• RSA: This is an authentication algorithm
• RC4: This is an encryption algorithm
• MD5: This is a hashing algorithm

A comprehensive list of SSL and TLS cipher suites can be found at https://www.openssl.org/docs/apps/ciphers.html.