How to check openssl renegotiation and weak cipher vulnerability

Jephe Wu -
Environment: Apache httpd server with openssl
Objective: check renegotiation and weak cipher vulnerability and patch them

1. How to check if a website supports openssl renegotiation and weak cipher?
method 1: openssl s_client command
use openssl command that comes with CentOS 5.5:

openssl s_client -connect
it will show 'secure renegotiation is NOT supported or supported' message

use openssl ciphers to know all the ciphers on the client Linux PC, then you can use the following commands to check specific cipher support on server:
openssl s_client -connect -cipher LOW:EXP  - check if it suports low or exp ciphers, for what are the low or exp ciphers, see
openssl s_client -connect -cipher EXP-RC4-MD5 - check specific cipher

openssl s_client -connect -cihper MEDIUM

method 2: use public ssl database report

method3: use downloaded tool
download sslciphercheck from
then use sslciphercheck -h to check all supported ciphpers

2. How to patch it
For renegotiation vulnerability, you can upgrade to openssl 1.0a version.
For weak cipher, you can use the  following ciphersuite configuration in Apache


You can disable RC4 also, so it becomes:



1. you can list all ciphers the current openssl supports on the server:

/usr/local/ssl/bin/openssl ciphers | sed -e 's#:#\n#g' | sort

3. References
redhat knowledge base: