testssl is a simple bash script that detects security vulnerabilities on your Linux server. It checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. The checks range from FREAK to LOGJAM to timestamp issues to IP addresses.
- display matching key (HPKP)
- LOGJAM 1: check DHE_EXPORT cipher
- LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
- “wide mode” option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
- binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
- OS X binaries
- ARM binary
- FreeBSD binary
- TLS_FALLBACK_SCSV check
- (HTTP) proxy support!
- Extended validation certificate detection
- Run in default mode through all ciphers at the end of a default run
- will test multiple IP adresses in one shot,
--ip=restricts it accordingly
- new mass testing file option
--fileoption where testssl.sh commands are being read from
- TLS time and HTTP time stamps
- TLS time displayed also for STARTTLS protocols
- support of sockets for STARTTLS protocols
- TLS 1.0-1.1 as socket checks per default in production
- further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
- can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
- quite some LibreSSL fixes, still not recommended to use though
- lots of fixes, code improvements, even more robust
testssl runs on several Linux distributions as it has minimal dependencies. Checkout the latest code from GitHub:
$ git clone https://github.com/drwetter/testssl.sh
$ testssl.sh <options> <URI> //where, URI can be any of host|host:port|URL|URL:port
The simplest usage example is:
$ ./testssl.sh localhost:443
If port is omitted (as above), testssl script assumes 443 by default.
For help, run:
$ ./testssl.sh -h
You can use testssl to run vulnerability checks for one or multiple issues. Refer to help for examples.