testssl: secure your servers

medical_comptestssl is a simple bash script that detects security vulnerabilities on your Linux server. It checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. The checks range from FREAK to LOGJAM to timestamp issues to IP addresses.

Features

  • display matching key (HPKP)
  • LOGJAM 1: check DHE_EXPORT cipher
  • LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
  • “wide mode” option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
  • binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
  • OS X binaries
  • ARM binary
  • FreeBSD binary
  • TLS_FALLBACK_SCSV check
  • (HTTP) proxy support!
  • Extended validation certificate detection
  • Run in default mode through all ciphers at the end of a default run
  • will test multiple IP adresses in one shot, --ip= restricts it accordingly
  • new mass testing file option --file option where testssl.sh commands are being read from
  • TLS time and HTTP time stamps
  • TLS time displayed also for STARTTLS protocols
  • support of sockets for STARTTLS protocols
  • TLS 1.0-1.1 as socket checks per default in production
  • further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
  • can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
  • quite some LibreSSL fixes, still not recommended to use though
  • lots of fixes, code improvements, even more robust

Installation

testssl runs on several Linux distributions as it has minimal dependencies. Checkout the latest code from GitHub:

$ git clone https://github.com/drwetter/testssl.sh

Usage

Syntax:

$ testssl.sh <options> <URI>
//where, URI can be any of
host|host:port|URL|URL:port

The simplest usage example is:

$ ./testssl.sh localhost:443

If port is omitted (as above), testssl script assumes 443 by default.

For help, run:

$ ./testssl.sh -h

You can use testssl to run vulnerability checks for one or multiple issues. Refer to help for examples.

2 thoughts on “testssl: secure your servers”

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s