Name | Last Modified | Size | Type |
---|---|---|---|
2.6/ | 2018-Nov-15 22:02:23 | -- | Directory |
2.8/ | 2018-Nov-15 22:46:12 | -- | Directory |
2.9.5/ | 2020-Jan-23 22:04:09 | -- | Directory |
bin/ | 2022-Nov-22 16:48:47 | -- | Directory |
bleichenbacher/ | 2018-Feb-23 18:00:33 | -- | Directory |
doc/ | 2022-Nov-22 16:50:07 | -- | Directory |
etc/ | 2022-Nov-22 16:49:13 | -- | Directory |
openssl-1.0.2i-chacha.pm.ipv6.contributed/ | 2020-Sep-17 09:55:59 | -- | Directory |
openssl-1.0.2k-bad/ | 2025-Jan-04 14:19:01 | -- | Directory |
utils/ | 2022-Nov-22 16:49:53 | -- | Directory |
CHANGELOG.md | 2022-Sep-29 08:40:32 | 17.20KB | MD File |
CONTRIBUTING.md | 2022-Sep-29 08:40:32 | 728.00B | MD File |
CREDITS.md | 2022-Sep-29 08:40:32 | 3.90KB | MD File |
Dockerfile | 2022-Sep-29 08:40:32 | 585.00B | Unknown File |
Dockerfile.git | 2022-Sep-29 08:40:32 | 681.00B | GIT File |
Dockerfile.md | 2022-Sep-29 08:40:32 | 1.53KB | MD File |
LICENSE.txt | 2014-May-03 11:04:22 | 17.59KB | TXT Type Document |
Readme.md | 2025-Jan-06 13:18:22 | 6.41KB | MD File |
openssl-iana.mapping.html | 2024-Nov-22 10:19:52 | 61.11KB | HTML File |
testssl.sh | 2025-Jan-26 10:22:03 | 1001.26KB | SH File |
testssl.sh-3.0.6.tar.gz | 2021-Oct-03 19:07:15 | 8.82MB | GZ Compressed Archive |
testssl.sh-3.0.6.tar.gz.asc | 2021-Oct-03 19:07:15 | 488.00B | ASC File |
testssl.sh-3.0.7.tar.gz | 2022-Feb-19 14:59:59 | 8.79MB | GZ Compressed Archive |
testssl.sh-3.0.7.tar.gz.asc | 2022-Feb-19 14:59:59 | 488.00B | ASC File |
testssl.sh-3.0.8.tar.gz | 2022-Sep-29 08:46:37 | 17.59MB | GZ Compressed Archive |
testssl.sh-3.0.8.tar.gz.asc | 2022-Sep-29 08:46:32 | 488.00B | ASC File |
testssl.sh-3.0.9.tar.gz | 2024-Jun-13 19:02:46 | 8.95MB | GZ Compressed Archive |
testssl.sh-3.0.9.tar.gz.asc | 2024-Jun-13 19:04:07 | 488.00B | ASC File |
testssl.sh.asc | 2021-Oct-03 19:07:15 | 488.00B | ASC File |
testssl_german_owasp_day.pdf | 2018-Nov-18 13:53:38 | 1.11MB | PDF Type Document |
testssl.sh
is free and open source software. You can use it under the terms of GPLv2, please review the License before using it.
Development takes place at github. We're now @ 3.2rc3 (stable) and 3.0.9 (oldstable).
As of 2024, you should use the latest 3.2 version, or the oldstable 3.0.9. 2.9.5 is not supported anymore.
As I do releases on github you can pull the zip for a stable release from there.
Supported will always be the current dev version and the version before (n-1 rule). As soon as the dev version becomes the stable release, this will be the n-1 version and receives bugfixes only. The dev version has historically not delivered really broken software (no facebook paradigm). Consider it like a rolling release: It'll definitely change-- that is the point of development-- things might break for you if you e.g. expect the output or features all to be the same. But other than that: The dev version itself won't break (TM).
3.2 is now the version which we'll focus on. There may or maybe not a 3.0.10 release. We'll focus on 3.2 which evolved from 3.1dev. After the final release of 3.2 this will also formally become the stable, last supported version. Development will take place in 3.3dev then.
testssl.sh
is pretty much portable/compatible. It is working on every Linux, Mac OS X, FreeBSD distribution, on MSYS2/Cygwin (slow).
It is supposed also to work on any other unixoid systems.
A newer OpenSSL version (1.0) is recommended though. /bin/bash
is a prerequisite –
otherwise there would be no sockets.
openssl <verify|ocsp|pkey>
. In principle any OpenSSL or even LibreSSL can be used as a helper. It's recommended to
use the one supplied as it makes sure special tests or features like IPv6, proxy support, STARTTLS MySQL or PostgreSQL are supported. (The one supplied stems
originally from github.com/PeterMosmans/openssl. openssl-1.0.2k-chacha.pm.ipv6.Linux+FreeBSD.tar.gz is a Linux- and FreeBSD-only tarball. The directory openssl-1.0.2i-chacha.pm.ipv6.contributed/ contains contributed builds for ARM7l and Darwin binaries).
curl -L https://testssl.sh
or wget -O - https://testssl.sh
pulls the current stable code from here curl -L https://testssl.sh/dev/
or wget -O - https://testssl.sh/dev/
pulls the current development code from githubuserid@somehost:~ % testssl.sh "testssl.sh [options] <URI>" or "testssl.sh <options>" "testssl.sh <options>", where <options> is: --help what you're looking at -b, --banner displays banner + version of testssl.sh -v, --version same as previous -V, --local pretty print all local ciphers -V, --local <pattern> which local ciphers with <pattern> are available? If pattern is not a number: word match <pattern> is always an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits "testssl.sh <URI>", where <URI> is: <URI> host|host:port|URL|URL:port port 443 is default, URL can only contain HTTPS protocol) "testssl.sh [options] <URI>", where [options] is: -t, --starttls <protocol> Does a default run against a STARTTLS enabled <protocol, protocol is <ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres|mysql> --xmpphost <to_domain> For STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed --mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25) --file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>. Can be combined with --serial or --parallel. Implicitly turns on "--warnings batch". Text format 1: Comments via # allowed, EOF signals end of <fname> Text format 2: nmap output in greppable format (-oG), 1 port per line allowed --mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter) --warnings <batch|off> "batch" doesn't continue when a testing error is encountered, off continues and skips warnings --connect-timeout <seconds> useful to avoid hangers. Max <seconds> to wait for the TCP socket connect to return --openssl-timeout <seconds> useful to avoid hangers. Max <seconds> to wait before openssl connect will be terminated single check as <options> ("testssl.sh URI" does everything except -E and -g): -e, --each-cipher checks each local cipher remotely -E, --cipher-per-proto checks those per protocol -s, --std, --standard tests certain lists of cipher suites by strength -p, --protocols checks TLS/SSL protocols (including SPDY/HTTP2) -g, --grease tests several server implementation bugs like GREASE and size limitations -S, --server-defaults displays the server's default picks and certificate info -P, --server-preference displays the server's picks: protocol+cipher -x, --single-cipher <pattern> tests matched <pattern> of ciphers (if <pattern> not a number: word match) -c, --client-simulation test client simulations, see which client negotiates with cipher and protocol -h, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address -U, --vulnerable tests all (of the following) vulnerabilities (if applicable) -H, --heartbleed tests for Heartbleed vulnerability -I, --ccs, --ccs-injection tests for CCS injection vulnerability -T, --ticketbleed tests for Ticketbleed vulnerability in BigIP loadbalancers -BB, --robot tests for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability -R, --renegotiation tests for renegotiation vulnerabilities -C, --compression, --crime tests for CRIME vulnerability (TLS compression issue) -B, --breach tests for BREACH vulnerability (HTTP compression issue) -O, --poodle tests for POODLE (SSL) vulnerability -Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation -W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability -A, --beast tests for BEAST vulnerability -L, --lucky13 tests for LUCKY13 -F, --freak tests for FREAK vulnerability -J, --logjam tests for LOGJAM vulnerability -D, --drown tests for DROWN vulnerability -f, --pfs, --fs, --nsa checks (perfect) forward secrecy settings -4, --rc4, --appelbaum which RC4 ciphers are being offered? tuning / connect options (most also can be preset via environment variables): --fast omits some checks: using openssl for all ciphers (-e), show only first preferred cipher. -9, --full includes tests for implementation bugs and cipher per protocol (could disappear) --bugs enables the "-bugs" option of s_client, needed e.g. for some buggy F5s --assume-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks --ssl-native fallback to checks with OpenSSL where sockets are normally used --openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh) --proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from $env ($http(s)_proxy) -6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity --ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) -n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records --sneaky leave less traces in target logs: user agent, referer --ids-friendly skips a few vulnerability checks which may cause IDSs to block the scanning IP --phone-out allow to contact external servers for CRL download and querying OCSP responder --add-ca <cafile> path to <cafile> or a comma separated list of CA files enables test against additional CAs. --basicauth <user:pass> provide HTTP basic auth information. output options (can also be preset via environment variables): --quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner --wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name --show-each for wide outputs: display all ciphers tested -- not only succeeded ones --mapping <openssl| openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default) iana|rfc -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form no-openssl| -> don't display the OpenSSL cipher suite name, display IANA/(RFC) names only no-iana|no-rfc> -> don't display the IANA/(RFC) cipher suite name, display OpenSSL names only --color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers) --colorblind swap green and blue in the output --debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh" file output options (can also be preset via environment variables) --log, --logging logs stdout to '${NODE}-p${port}${YYYYMMDD-HHMM}.log' in current working directory (cwd) --logfile|-oL <logfile> logs stdout to 'dir/${NODE}-p${port}${YYYYMMDD-HHMM}.log'. If 'logfile' is a dir or to a specified 'logfile' --json additional output of findings to flat JSON file '${NODE}-p${port}${YYYYMMDD-HHMM}.json' in cwd --jsonfile|-oj <jsonfile> additional output to the specified flat JSON file or directory, similar to --logfile --json-pretty additional JSON structured output of findings to a file '${NODE}-p${port}${YYYYMMDD-HHMM}.json' in cwd --jsonfile-pretty|-oJ <jsonfile> additional JSON structured output to the specified file or directory, similar to --logfile --csv additional output of findings to CSV file '${NODE}-p${port}${YYYYMMDD-HHMM}.csv' in cwd or directory --csvfile|-oC <csvfile> additional output as CSV to the specified file or directory, similar to --logfile --html additional output as HTML to file '${NODE}-p${port}${YYYYMMDD-HHMM}.html' --htmlfile|-oH <htmlfile> additional output as HTML to the specified file or directory, similar to --logfile --out(f,F)ile|-oa/-oA <fname> log to a LOG,JSON,CSV,HTML file (see nmap). -oA/-oa: pretty/flat JSON. "auto" uses '${NODE}-p${port}${YYYYMMDD-HHMM}'. If fname if a dir uses 'dir/${NODE}-p${port}${YYYYMMDD-HHMM}' --hints additional hints to findings --severity <severity> severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL> --append if (non-empty) <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists, append to file. Omits any header --outprefix <fname_prefix> before '${NODE}.' above prepend <fname_prefix> Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>. <URI> always needs to be the last parameter. userid@somehost:~ %
testssl.sh --starttls smtp <smtphost>.<tld>:587 testssl.sh --starttls ftp <ftphost>.<tld>:21 testssl.sh -t xmpp <jabberhost>.<tld>:5222 testssl.sh -t xmpp --xmpphost <XMPP domain> <jabberhost>.<tld>:5222 testssl.sh --starttls imap <imaphost>.<tld>:143The ports in those examples above are just the standard ports. Also here you're free to check any port. //refactor those, see e.g. https://content-security-policy.com/unsafe-hashes/ or just drop tis shit