How to verify that SSL cipher order is being enforced?

apache-2.2 mod-ssl

I'm running Apache 2.2.31 and I'm trying to get Perfect Forward Secrecy working. Using Qualys SSL Labs shows that pretty much everything except IE is using ciphers that can use forward secrecy.

I've verified that SSLHonorCipherOrder is set to on in the Apache configuration, but I'm wondering if there's a way to externally test that the cipher order is being enforced.

SSLLabs lists the supported ciphers in order of preference, and it matches what I specified in the config file


For decent HTTPS configuration analysis you can use https://testssl.sh/ as well. It grants really high quality information of overall HTTPS state.

testssl https://yoursite.com

In order to check configuration you asked - search for following check in the output:

Testing server preferences

Has server cipher order?     nope (NOT ok)

or

Testing server preferences

 Has server cipher order?     yes (OK)

An Nmap EnumCipher script will help you with this

nmap --script ssl-enum-ciphers -p

I have also set SSLHonorCipherOrder as on, but it shows "cipher preference: client"

I was looking for an answer while stumbling on to this old question

Related

What could cause an SFTP host key fingerprint mismatch?
Sendmail adds X-Authentication-Warning for trusted users?
Is it OK to run my own mail server for email forwarding? [closed]
Windows 10 - Set Start Layout via GPO
HAProxy rspadd or set-header
Bash commands run at terminal but not in Jenkins/Bash Script
How to allow login to a SMTP server better than with password?
Do I need to open any port for NTP synchronization to work if both outgoing and incoming are blocked on ufw?
How do VPN servers/clients avoid routing their own remote connection packets through themself?
Back up a database nightly
Unable to access postgres remotely from Azure VM
Converting Linux machine from XenServer to Hyper-V