OpenSSL documentation is a pain in the back :-( Anyway, browsing into the source code, I found a SSL_get_shared_ciphers function, that does not appear in the doc.
I wrote a small test program and tried it on https://www.microsoft.com and, surprise surprise... I got a cipher that is not supported by OpenSSL: EDH-RSA-DES-CBC3-SHA So, it seems that SSL_get_ciphers (used in the ssl_cipher plugin) gets *all* ciphers accepted by the peer, not only the shared ciphers, as I believed initialy. This means that the ssl_ciphers plugin should work well. "Trust but verify", the Russians say: if anybody gets an alert about "null ciphers", this would confirm that Nessus is able to detect those brain damaged options.
