My understanding is that during ssl negotiation, the client (i.e. curl) sends a list of ciphers to the server, and the server replies with its preferred choice.
How do I see the list of ciphers that curl is sending?
Add a comment
|
3 Answers
There is a website that offers curl cipher request detection as a service:
curl https://www.howsmyssl.com/a/check
However, it does not accept all ciphers - if one of the ciphers they accept is not on the list that your curl is sending, then you will not be able to get a response at all.
You can use Wireshark. For example, if you set a packet filter of "tcp port 443" and then set the display filter to "ssl", you'll get output like this:
You can see that the "Client Hello" packet shows cipher suites like TLS_AES_128_GCM_SHA256.
answered Dec 8, 2021 at 3:14
This answer [1] is a good start, but it glosses over how to actually create a self-signed certificate, and the answer doesnt work without that part. Further, the article [2] they link to with instruction on how to create a self-signed certificate is using OpenSSL, which is good for some purposes, but maybe not ideal for creating a self-signed certificate, as it makes the process harder than it needs to be. To that end, I found another tool [3], thats much simpler:
generate_cert -host localhost
Its just a single file written in Go, with no external dependencies. After you run the above command, you can then use OpenSSL or similar to start a server:
openssl s_server -msg -accept 8080 -cert cert.pem -key key.pem
Then make a request like this:
curl -k https://localhost:8080
-
Generating a self-signed cert is as "easy" as
openssl req -x509 -subj /CN=example.com -nodes -out cert.pem -keyout key.pem. For some reason the linked answer was deleted, but is at web.archive.org/web/20220518165811/https://…mwfearnley– mwfearnley2023-07-03 16:37:32 +00:00Commented Jul 3, 2023 at 16:37