Testssl.sh is a free and open-source, feature-rich command-line tool used for checking TLS/SSL encryption enabled services for supported ciphers, protocols, and some cryptographic flaws
How to Install and Use Testssl.sh in Linux
Important: You should be using bash (which comes preinstalled on most Linux distributions) and a newer OpenSSL version (1.1.1) is recommended for effective usage.
You can install testssl. sh by cloning this git repository as shown:
# git clone --depth 1 https://github.com/drwetter/testssl.sh.git # cd testssl.sh After the cloning testssl.sh, the general use case is probably just to run the following command to do a test against a website.
# ./testssl.sh https://Krushkov.net/
To run a check against STARTTLS enabled protocols: ftp, smtp, pop3, imap, xmpp, telnet, ldap, postgres, mysql, use the -t
option.
# ./testssl.sh -t smtp https://Krushkov.net/
By default, all mass tests are done in serial mode, you can enable parallel testing using the --parallel
flag.
# ./testssl.sh --parallel https://Krushkov.net/ If you do not want to use the default system openssl program, use the --openssl flag to specify an alternative.
# ./testssl.sh --parallel --sneaky --openssl /path/to/your/openssl https://Krushkov.net/ You might want to keep logs for later analysis, testssl.sh has the--log
(store log file in the current directory) or--logfile
(specify log file location) option for that.
# ./testssl.sh --parallel --sneaky --logging https://Krushkov.net/
To disable DNS lookup, which can increase test speeds, use the -n
flag.
# ./testssl.sh -n --parallel --sneaky --logging https://Krushkov.net/
Run Single Checks Using Testssl.sh
You can also run single checks for protocols, server defaults, server preferences, headers, various types of vulnerabilities plus many other tests. There are a number of options provided for this.
For example, the -e
flag enables you to check each local cipher remotely. If you want to make the test much faster, use include the --fast
flag; this will omit some checks, in case you are using openssl for all ciphers, it only displays the first proffered cipher.
# ./testssl.sh -e --fast --parallel https://Krushkov.net/
The -p
option allows for testing TLS/SSL protocols (including SPDY/HTTP2).
# ./testssl.sh -p --parallel --sneaky https://Krushkov.net/
You can view the server’s default picks and certificate using the -S
option.
# ./testssl.sh -S https://Krushkov.net/
Next, to see the server’s preferred protocol+cipher, use the -P
flag.
# ./testssl.sh -P https://Krushkov.net/
The -U
option will help you test all vulnerabilities (if applicable).
# ./testssl.sh -U --sneaky https://Krushkov.net/
Unfortunately, we can not exploit all the options here, use the command below to see a list of all options.
# ./testssl.sh --help If you need more info at testssl.sh -> Github repository: https://github.com/drwetter/testssl.sh