It is very important to check whether your server service provides you the full support of TLS and SSL ciphers or not. Testssl.sh is a there to test these availabilities of services to your server. Testssl.sh is a cryptography technique for SSL checker along with TLS test.
It is an alternate TLS tester and SSL checker for the server service. It provides a clear output which gives you full information about your server. If there goes something wrong on your network server, it helps you find out the problem i.e. you can clearly say whether the network server is going good or bad.
The installation part is also too easy and comfortable with the specification. It not only works fine with Linux but also with Darwin, FreeBSD and MSYS2/Cygwin. Some of the other TLS test and SSL Checker requires to install and configure with the inner specification such as gems, CPAN, PIP etc. but this testssl.sh (TLS TEST and SSL checker) does not require. Not only this much but also the toolbox is heavily supported with several command line options which helps the user to run their test and configure their output according to their requirement.
The main feature of this TLS tester and SSL checker is that it is 100% open source. Considering the open source in mind there is one question raises i.e. ‘Privacy’. This TLS tester and SSL checker provides total privacy by giving them access to see the result to only the user no other third party.
It is working fine and accurate with every Linux distribution out of the box which includes some limitation i.e. some of the features from the OpenSSL client, some work around are done with bash-socket-based checks etc. It also works fine with the BSD and another Unices out of the box which supports /bin/bash along with the standard tool like SED and AWK installed in the system.
Not only the Linux distribution is supported with it, but also MAC and Windows are working with it with the additional requirement that are MSYS2 OR Cygwin.
The normal use case is probably just testssl.sh <hostname>:
userid@somehost:~ % testssl.sh
-h, --help what you're looking at
-b, --banner displays banner + version of testssl.sh
-v, --version same as previous
-V, --local pretty print all local ciphers
-V, --local <pattern> which local ciphers with <pattern> are available?
(if pattern not a number: word match)
testssl.sh <options> URI ("testssl.sh URI" does everything except -E)
-e, --each-cipher checks each local cipher remotely
-E, --cipher-per-proto checks those per protocol
-f, --ciphers checks common cipher suites
-p, --protocols checks TLS/SSL protocols
-S, --server_defaults displays the servers default picks and certificate info
-P, --preference displays the servers picks: protocol+cipher
-y, --spdy, --npn checks for SPDY/NPN
-x, --single-cipher <pattern> tests matched <pattern> of ciphers
(if <pattern> not a number: word match)
-U, --vulnerable tests all vulnerabilities
-B, --heartbleed tests for heartbleed vulnerability
-I, --ccs, --ccs-injection tests for CCS injection vulnerability
-R, --renegotiation tests for renegotiation vulnerabilities
-C, --compression, --crime tests for CRIME vulnerability
-T, --breach tests for BREACH vulnerability
-O, --poodle tests for POODLE (SSL) vulnerability
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
-F, --freak tests for FREAK vulnerability
-A, --beast tests for BEAST vulnerability
-J, --logjam tests for LOGJAM vulnerability
-s, --pfs, --fs,--nsa checks (perfect) forward secrecy settings
-4, --rc4, --appelbaum which RC4 ciphers are being offered?
-H, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol>
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
--ip <ipv4> a) tests the supplied <ipv4> instead of resolving host(s) in URI
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
--file <file name> mass testing option: Just put multiple testssl.sh command lines in <file name>,
one line per instance. Comments via # allowed, EOF signals end of <file name>.
partly mandatory parameters:
URI host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified)
pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits
protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl)
--assuming-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh
--proxy <host>:<port> connect via the specified HTTP proxy
--sneaky be less verbose wrt referer headers
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
--warnings <batch|off|false> "batch" doesn't wait for keypress, "off" or "false" skips connection warning
--color <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
--debug <0-6> 1: screen output normal but debug output in temp files. 2-6: see line ~105
All options requiring a value can also be called with '=' (e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
<URI> is always the last parameter.
Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like
"testssl.sh <options> <URI> | aha >output.html"
Web Front End for testssl.sh
- Clone the sh-webfrontend repository with its main dependency testssl.sh by the invocation of git clone https://github.com/Oliverq755/testssl.sh-webfrontend
- Install Python 3 (apt-get install python3) and the Python module Flask by running pip3 install flask.
- Install aha (apt-get install aha)2y
- Configure SSLTestPortal.py, especially application.secret_key, in its configuration section and create the required paths (log, result/html and result/json in the default configuration).
- Run SSLTestPortal.py or deploy it as WSGI script.