testssl.sh 2.9.5-7 releases: Testing TLS/SSL encryption anywhere on any port
testssl.sh is a free command line tool which checks a server’s service on any port for the support of TLS/SSL cyphers, protocols as well as some cryptographic flaws.
- Clear output: you can tell easily whether anything is good or bad
- Ease of installation: It works for Linux, Darwin, FreeBSD, NetBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
- Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443
- Toolbox: Several command line options help you to run YOUR test and configure YOUR output
- Reliability: features are tested thoroughly
- Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you’ll get a warning
- Privacy: It’s only you who sees the result, not a third party
- Freedom: It’s 100% open source. You can look at the code, see what’s going on and you can change it.
- Heck, even the development is open (github)
testssl.sh URI as the default invocation does the so-called default run which does a number of checks and puts out the results colourized (ANSI and termcap) on the screen. It does every check listed below except
-E which are (order of appearance):
- displays a banner (see below), does a DNS lookup also for further IP addresses and does for the returned IP address a reverse lookup. Last but not least a service check is being done.
- SSL/TLS protocol check
- standard cipher categories to give you upfront an idea for the ciphers supported
- checks (perfect) forward secrecy: ciphers and elliptical curves
- server preferences (server order)
- server defaults (certificate info, TLS extensions, session information)
- HTTP header (if HTTP detected or being forced via
- testing each of 359 ciphers
- client simulation
This update contains a few bugfixes only. (Changelog: v2.9.5-5...2.9.5) . It is likely the last release of the 2.9.5 branch. This replaces 2.9.5-6 which were accidentally pointing to the wrong branch.
In general, it is highly recommended to switch to 3.0rcX now (see the tag in the 2.9dev branch). Besides another leap forward in features (bigger ones: TLS 1.3 and ROBOT check) 3.0rcX is also working with OpenSSL 1.1.1. There are a few known bugs in the 3.0 branch which need to be resolved, they also appear in 2.9.5. Not sure whether the fixes will be backported.
git clone –depth 1 https://github.com/drwetter/testssl.sh.git
Copyright (C) 2014 drwetter