Enumerate TLS cipher suite support
cipher-scancommandsetup L1★1
mikemackintosh/gilfoyle ↗What it does
Enumerate cipher suites supported by remote TLS server
Best for
Security teams auditing TLS server configurations for compliance and known vulnerabilities.
Inputs
- · Hostname or hostname:port (default port 443)
Outputs
- · Supported cipher suites grouped by strength (Strong/Acceptable/Weak/Insecure)
- · Per-cipher: TLS version, key exchange, AEAD/MAC, security rating
- · Vulnerability flags (BEAST, POODLE, Sweet32, ROBOT if applicable)
Requires
- · OpenSSL
- · nmap (optional, ssl-enum-ciphers script)
Preconditions
- · Hostname resolvable
- · TLS port reachable
- · OpenSSL installed
Failure modes
- · Timeout on cipher enumeration — uses Method 2 (per-protocol overview) instead of Method 1 (per-cipher test)
- · Server unreachable — clear error message (hostname/port mismatch)
- · Self-signed cert — OpenSSL still reports ciphers (cert verification skipped by s_client defaults)
Trust signals
- · Multiple methods offered (per-cipher, per-protocol, nmap) for speed/depth tradeoff
- · Vuln reference (BEAST/POODLE/Sweet32/ROBOT) with CVSS context
- · Forward secrecy emphasis (ECDHE/DHE preferred)