Here's a handy tool to double check the SSL configuration of your web server. You've got the host stood up, an SSL certificate deployed, but you're not quite sure what options SSL is offering. Enter sslyze, a cross platform utility written in Python. Simply download the code from http://code.google.com/p/sslyze/, extract the archive and run from the command line.
I setup a generic web server running a self-signed certificate to test it out. Oddly enough, the cert is listed as not trusted. I found that running it without root permissions resulted in a lot of permissions errors and it didn't execute. Once I added sudo to the mix, it worked very well and very fast.
sudo python sslyze.py --regular 192.168.1.99:443
Password:
REGISTERING AVAILABLE PLUGINS
-----------------------------
PluginCertInfo - OK
PluginOpenSSLCipherSuites - OK
PluginSessionRenegotiation - OK
PluginSessionResumption - OK
CHECKING HOST(S) AVAILABILITY
-----------------------------
192.168.1.99:443 => 192.168.1.99:443
SCAN RESULTS FOR 192.168.1.99:443 - 192.168.1.99:443
----------------------------------------------------
* Session Renegotiation :
Client-initiated Renegotiations: Rejected
Secure Renegotiation: Supported
* Session Resumption :
Using SSLv3 Session IDs: Supported
Using TLSv1 Session Tickets: Supported
Using TLSv1 Session IDs: Supported
* SSLV2 Cipher Suites :
Cipher Suite: SSL Handshake: HTTP GET:
DES-CBC3-MD5 168bits Preferred 200 OK
RC4-MD5 128bits Accepted 200 OK
RC2-CBC-MD5 128bits Accepted 200 OK
EXP-RC4-MD5 40bits Accepted 200 OK
EXP-RC2-CBC-MD5 40bits Accepted 200 OK
DES-CBC-MD5 56bits Accepted 200 OK
* SSLV3 Cipher Suites :
Cipher Suite: SSL Handshake: HTTP GET:
DHE-RSA-AES256-SHA 256bits Preferred 200 OK
RC4-SHA 128bits Accepted 200 OK
RC4-MD5 128bits Accepted 200 OK
EXP-RC4-MD5 40bits Accepted 200 OK
EXP-RC2-CBC-MD5 40bits Accepted 200 OK
EXP-EDH-RSA-DES-CBC-SHA 40bits Accepted 200 OK
EXP-DES-CBC-SHA 40bits Accepted 200 OK
EDH-RSA-DES-CBC3-SHA 168bits Accepted 200 OK
EDH-RSA-DES-CBC-SHA 56bits Accepted 200 OK
DHE-RSA-AES128-SHA 128bits Accepted 200 OK
DES-CBC3-SHA 168bits Accepted 200 OK
DES-CBC-SHA 56bits Accepted 200 OK
AES256-SHA 256bits Accepted 200 OK
AES128-SHA 128bits Accepted 200 OK
SEED-SHA Rejected - SSL Alert N/A
NULL-SHA Rejected - SSL Alert N/A
NULL-MD5 Rejected - SSL Alert N/A
EXP-EDH-DSS-DES-CBC-SHA Rejected - SSL Alert N/A
EXP-ADH-RC4-MD5 Rejected - SSL Alert N/A
EXP-ADH-DES-CBC-SHA Rejected - SSL Alert N/A
EDH-DSS-DES-CBC3-SHA Rejected - SSL Alert N/A
EDH-DSS-DES-CBC-SHA Rejected - SSL Alert N/A
DHE-RSA-SEED-SHA Rejected - SSL Alert N/A
DHE-DSS-SEED-SHA Rejected - SSL Alert N/A
DHE-DSS-AES256-SHA Rejected - SSL Alert N/A
DHE-DSS-AES128-SHA Rejected - SSL Alert N/A
ADH-SEED-SHA Rejected - SSL Alert N/A
ADH-RC4-MD5 Rejected - SSL Alert N/A
ADH-DES-CBC3-SHA Rejected - SSL Alert N/A
ADH-DES-CBC-SHA Rejected - SSL Alert N/A
ADH-AES256-SHA Rejected - SSL Alert N/A
ADH-AES128-SHA Rejected - SSL Alert N/A
* TLSV1 Cipher Suites :
Cipher Suite: SSL Handshake: HTTP GET:
DHE-RSA-AES256-SHA 256bits Preferred 200 OK
RC4-SHA 128bits Accepted 200 OK
RC4-MD5 128bits Accepted 200 OK
EXP-RC4-MD5 40bits Accepted 200 OK
EXP-RC2-CBC-MD5 40bits Accepted 200 OK
EXP-EDH-RSA-DES-CBC-SHA 40bits Accepted 200 OK
EXP-DES-CBC-SHA 40bits Accepted 200 OK
EDH-RSA-DES-CBC3-SHA 168bits Accepted 200 OK
EDH-RSA-DES-CBC-SHA 56bits Accepted 200 OK
DHE-RSA-AES128-SHA 128bits Accepted 200 OK
DES-CBC3-SHA 168bits Accepted 200 OK
DES-CBC-SHA 56bits Accepted 200 OK
AES256-SHA 256bits Accepted 200 OK
AES128-SHA 128bits Accepted 200 OK
SEED-SHA Rejected - SSL Alert N/A
NULL-SHA Rejected - SSL Alert N/A
NULL-MD5 Rejected - SSL Alert N/A
EXP-EDH-DSS-DES-CBC-SHA Rejected - SSL Alert N/A
EXP-ADH-RC4-MD5 Rejected - SSL Alert N/A
EXP-ADH-DES-CBC-SHA Rejected - SSL Alert N/A
EDH-DSS-DES-CBC3-SHA Rejected - SSL Alert N/A
EDH-DSS-DES-CBC-SHA Rejected - SSL Alert N/A
DHE-RSA-SEED-SHA Rejected - SSL Alert N/A
DHE-DSS-SEED-SHA Rejected - SSL Alert N/A
DHE-DSS-AES256-SHA Rejected - SSL Alert N/A
DHE-DSS-AES128-SHA Rejected - SSL Alert N/A
ADH-SEED-SHA Rejected - SSL Alert N/A
ADH-RC4-MD5 Rejected - SSL Alert N/A
ADH-DES-CBC3-SHA Rejected - SSL Alert N/A
ADH-DES-CBC-SHA Rejected - SSL Alert N/A
ADH-AES256-SHA Rejected - SSL Alert N/A
ADH-AES128-SHA Rejected - SSL Alert N/A
* Certificate :
Validation w/ Mozilla's CA Store: Certificate is NOT Trusted
Subject CN: testweb
Issuer: /C=US/ST=Utah/L=Layton/O=Foo/OU=Bar/CN=ssl.testdomain.com
Serial Number: BED13023A4F44702
Not before: Nov 30 04:17:55 2011 GMT
Not after: Nov 29 04:17:55 2012 GMT
Keysize: 1024 bits
Signature Algorithm: sha1WithRSAEncryption
Version: 1 (0x0)
SHA1 Fingerprint: AD1F472A0C43A77FBBA861476C0E740A5FA3516A
Number of Extensions: 0
SCAN COMPLETED IN 0.71 S
------------------------
Follow me on Twitter: @Jason_Wood