How to check your SSL ciphers to make sure they don't accept SSLv3 or TLSv1.1

Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » System Level

How to check your SSL ciphers to make sure they don't accept SSLv3 or TLSv1.1Last Modified: Feb 8, 2020, 3:45 pm
If you're trying to become PCI compliant, one common check they do is to see if any of your SSL connections are using SSLv3.

You can fill in these options to generate the desired command:
SSL Protocol:

If you want to check your own setup first to ensure it will pass this check, you can use the command:

openssl s_client -port 2222 -host -tls1_1

where you're replace the bold items with the things respective values you're trying to test.  In the above example, we're checking DA on port 2222 locally (, but a remote check to anywhere else, with any port can be used.

The above code will produce some output.  If SSLv3 is not allowed in that connection (which is good), then you'll see about 3 to 7 lines of output, and the last line will show:

140506571089736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140506571089736:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

Basically, it will throw some kind of error.

If the connection worked (bad if testing for -ssl3), then you'll see a full page of output, including all certificate information, as well as the certificate itself.

Some services like exim use TLS for their ssl connection.  In that case, you'd use -tls1, -tls1_1, or -tls1_2 to test to for various TLS versions, instead of -ssl3

To set ciphers for the services, see this guide:

Related Helpfiles
Setting up DA with an SSL certificate
Current SSL cipher lists for DirectAdmin servers

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST