Plamen Krushkov
Comprehensive IT Services
Plamen Krushkov

Testing TLS/SSL Encryption on Any Port

Published

Testssl.sh is a free and open-source, feature-rich command-line tool used for checking TLS/SSL encryption enabled services for supported ciphers, protocols, and some cryptographic flaws

How to Install and Use Testssl.sh in Linux

Important: You should be using bash (which comes preinstalled on most Linux distributions) and a newer OpenSSL version (1.1.1) is recommended for effective usage.

You can install testssl. sh by cloning this git repository as shown:

# git clone --depth 1 https://github.com/drwetter/testssl.sh.git
# cd testssl.sh

After the cloning testssl.sh, the general use case is probably just to run the following command to do a test against a website.


# ./testssl.sh https://Krushkov.net/

To run a check against STARTTLS enabled protocols: ftp, smtp, pop3, imap, xmpp, telnet, ldap, postgres, mysql, use the -t option.

# ./testssl.sh -t smtp https://Krushkov.net/

By default, all mass tests are done in serial mode, you can enable parallel testing using the --parallel flag.


# ./testssl.sh --parallel https://Krushkov.net/

If you do not want to use the default system openssl program, use the --openssl flag to specify an alternative.


# ./testssl.sh --parallel --sneaky --openssl /path/to/your/openssl https://Krushkov.net/

You might want to keep logs for later analysis, testssl.sh has the --log (store log file in the current directory) or --logfile (specify log file location) option for that.


# ./testssl.sh --parallel --sneaky --logging https://Krushkov.net/

To disable DNS lookup, which can increase test speeds, use the -n flag.


# ./testssl.sh -n --parallel --sneaky --logging https://Krushkov.net/

Run Single Checks Using Testssl.sh

You can also run single checks for protocols, server defaults, server preferences, headers, various types of vulnerabilities plus many other tests. There are a number of options provided for this.

For example, the -e flag enables you to check each local cipher remotely. If you want to make the test much faster, use include the --fast flag; this will omit some checks, in case you are using openssl for all ciphers, it only displays the first proffered cipher.

# ./testssl.sh -e --fast --parallel https://Krushkov.net/

The -p option allows for testing TLS/SSL protocols (including SPDY/HTTP2).


# ./testssl.sh -p --parallel --sneaky https://Krushkov.net/

 

You can view the server’s default picks and certificate using the -S option.

# ./testssl.sh -S https://Krushkov.net/

Next, to see the server’s preferred protocol+cipher, use the -P flag.

# ./testssl.sh -P https://Krushkov.net/


The -U option will help you test all vulnerabilities (if applicable).

# ./testssl.sh -U --sneaky https://Krushkov.net/


Unfortunately, we can not exploit all the options here, use the command below to see a list of all options.


# ./testssl.sh --help


If you need more info at testssl.sh -> Github repository: https://github.com/drwetter/testssl.sh

You may also like