OpenSSL - check Cipher suites allowed on target

With this script you can easily check which Cipher suites are alloved on target

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=$1
DELAY=1
RED='\033[0;31m'
GREEN='\033[0;32m'
GRAY='\033[1;30m'
NC='\033[0m'
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
  do
  echo -n Testing $cipher...
  result=$(echo -n | timeout 2s openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo -e "${RED}NO${NC} ($error)"
  else
    if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
      echo -e "${GREEN}YES${NC}"
    else
      echo -e "${GRAY}UNKNOWN RESPONSE${NC}"
      #echo $result
    fi
  fi
  sleep $DELAY
done

Output will look like this :

-bash-5.2$ ./checkcphrsts 10.50.5.150:8008
Obtaining cipher list from OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023).
Testing TLS_AES_256_GCM_SHA384...NO (no cipher match)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (no cipher match)
Testing TLS_AES_128_GCM_SHA256...NO (no cipher match)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...YES
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing DHE-DSS-AES256-GCM-SHA384...YES
Testing DHE-RSA-AES256-GCM-SHA384...YES
Testing ECDHE-ECDSA-CHACHA20-POLY1305...YES
Testing ECDHE-RSA-CHACHA20-POLY1305...YES
Testing DHE-RSA-CHACHA20-POLY1305...YES
Testing ECDHE-ECDSA-AES256-CCM8...UNKNOWN RESPONSE
Testing ECDHE-ECDSA-AES256-CCM...YES
Testing DHE-RSA-AES256-CCM8...YES
Testing DHE-RSA-AES256-CCM...YES
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...YES
Testing ECDHE-ARIA256-GCM-SHA384...YES

...
..
.