我使用Wireshark从 java 应用程序捕获网络流量的方法之一。请参阅文档以捕获流量。一旦流量被捕获。单击分析 -> 解码为 -> 传输，选择端口并选择 SSL，应用并保存设置。捕获的流量将显示为 SSL。在捕获的流量中查找“client hello”消息的响应。这是完成 SSL/TLS 握手的地方。

参考下图：

请注意：来自远程客户端的所有测试将始终依赖于该客户端上的库，因此，如果您在客户端上有旧的 openssl-version 并想在服务器上测试新的 openssl-version，您将得到以下结果仅对客户有效。

openssl

最简单的方法是通过 openssl s_client 进行测试：

$ openssl s_client -host HOST -port PORT

-- output

... .oO( a lot of debug-outout )Oo. ... 


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
  Protocol  : TLSv1.2
  Cipher    : ECDHE-RSA-AES128-GCM-SHA256

通过脚本

有一个名为 testssl.sh 的脚本，它可能会对 ssl-setup 有所了解（您可能需要稍微修改一下；我必须使用 /bin/bash 而不是 /bin/sh 才能使其正常工作）

http://testssl.sh

-- output 


########################################################
testssl.sh v2.0pre  (http://software.drwetter.eu/ssl/)

Testing now (2014-02-24 22:40) ---> blah.org:443 <---
("blah.org" resolves to "12.34.56.78") 


--> Testing specific vulnerabilities

Renegotiation Vulnerability (CVE 2009-3555): **NOT vulnerable (ok)** 
CRIME Vulnerability (CVE-2012-4929): **NOT vulnerable (ok)  

--> Testing HTTP Header settings 

HSTS: **365 days (31536000 s)
Server banner: nginux

--> Testing (Perfect) Forward Secrecy  (P)FS) 
PFS seems generally available. Now testing specific ciphers

ECDHE-RSA-AES256-GCM-SHA384 [0xc030]: **works** 
ECDHE-RSA-AES128-GCM-SHA256 [0xc02f]: **works** 
ECDHE-RSA-AES128-SHA256 [0xc027]: **works** 
ECDHE-RSA-RC4-SHA [0xc011]: **works** 
DHE-RSA-AES256-GCM-SHA384 [0x9f]: **works** 
DHE-RSA-AES256-SHA256 [0x6b]: **works** 
DHE-RSA-AES256-SHA [0x39]: **works** 
DHE-RSA-CAMELLIA256-SHA [0x88]: **works** 
DHE-RSA-AES128-GCM-SHA256 [0x9e]: **works** 
DHE-RSA-AES128-SHA256 [0x67]: **works** 
DHE-RSA-AES128-SHA [0x33]: **works** 
DHE-RSA-CAMELLIA128-SHA [0x45]: **works** 
ECDHE-RSA-AES256-SHA384 [0xc028]: **works** 
ECDHE-RSA-AES256-SHA [0xc014]: **works** 
ECDHE-RSA-AES128-SHA [0xc013]: **works** 
(A **"green" cipher doesn't mean any browser will be able to use it)

--> Checking RC4 Ciphers

ECDHE-RSA-RC4-SHA [0xc011] (Kx=ECDH, Mac=SHA1): **available ** 
RC4-SHA [0x05] (Kx=RSA, Mac=SHA1): **available ** 
**
  RC4 is kind of broken (for e.g. IE6 consider 0xa or 0x13)

--> Testing Protocols

SSLv2: **Local problem: /usr/bin/openssl doesn't support "s_client -ssl2"** 
SSLv3: **NOT offered (ok)** 
TLSv1: **offered (ok)** 
TLSv1.1: **offered (ok)** 
TLSv1.2: **offered (ok)** 

SPDY: Following protocols advertised:** spdy/2, http/1.1** 

--> Testing cipher suites

Null Cipher: **NOT offered (ok)** 
Anonymous NULL Cipher : **NOT offered (ok)** 
40 Bit encryption: **NOT offered (ok)** 
56 Bit encryption: **Local problem: No 56 Bit encryption configured in /usr/bin/openssl** 
Export Cipher (general): **NOT offered (ok)** 
Low (<=64 Bit): **NOT offered (ok)** 
Medium grade encryption: offered
High grade encryption: **offered (ok)** 

Python

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket(s,cert_reqs=ssl.CERT_REQUIRED,ca_certs='/etc/ssl/certs/ca-certificates.crt')
ssl_sock.connect((target, port))
print repr(ssl_sock.getpeername())
print ssl_sock.cipher()

-- output
> ssl-info
('12.34.56.78', 443)
('ECDHE-RSA-AES128-GCM-SHA256', 'TLSv1', 128)

作为替代方案，您可以使用以下命令检查可能的密码nmap：

$ nmap -Pn -p 443 --script=ssl-enum-ciphers <hostname or ip>