testssl.sh is a free command line tool which checks a server’s service on any port for the support of TLS/SSL cyphers, protocols as well as some cryptographic flaws.
- Clear output: you can tell easily whether anything is good or bad
- Ease of installation: It works for Linux, Darwin, FreeBSD, NetBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
- Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443
- Toolbox: Several command line options help you to run YOUR test and configure YOUR output
- Reliability: features are tested thoroughly
- Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you’ll get a warning
- Privacy: It’s only you who sees the result, not a third party
- Freedom: It’s 100% open source. You can look at the code, see what’s going on and you can change it.
- Heck, even the development is open (github)
testssl.sh URI as the default invocation does the so-called default run which does a number of checks and puts out the results colourized (ANSI and termcap) on the screen. It does every check listed below except
-E which are (order of appearance):
- displays a banner (see below), does a DNS lookup also for further IP addresses and does for the returned IP address a reverse lookup. Last but not least a service check is being done.
- SSL/TLS protocol check
- standard cipher categories to give you upfront an idea for the ciphers supported
- checks (perfect) forward secrecy: ciphers and elliptical curves
- server preferences (server order)
- server defaults (certificate info, TLS extensions, session information)
- HTTP header (if HTTP detected or being forced via
- testing each of 359 ciphers
- client simulation
Changelog v3.0 rc3
This is the third release candidate of testssl.sh 3.0 to reflect the recent changes. All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 won’t be supported anymore once 3.0 has been released: Bug fixing will take place only here.
- add SSLv2 ciphers *total ciphers now being tested for: 370)
- updated client simulation data
- TLS 1.3 improvements
- STARTTLS NNTP support
- STARTTLS XMPP faster and more reliable
- include DH groups (primes) in pfs section
- Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X
- further bugfixes and clarifications
Please note that if you’re using the program for a paid or free public service you need mention where you got this program from.
git clone –depth 1 https://github.com/drwetter/testssl.sh.git
Copyright (C) 2014 drwetter