-
Notifications
You must be signed in to change notification settings - Fork 1k
Man page
testssl.sh -- check encryption of SSL/TLS servers
testssl.sh [OPTIONS]... [FILE|URI]...
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and much more.
Options are either short or long options. All options requiring a value can be called with or without '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI> is equivalent to testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI>. Some options can also be preset via ENV variables. WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp <URI> would be the equivalent to the aforementioned examples. Preference has the command line over ENV.
<URI> or <FILE> needs always to be the last parameter.
-h, --help what you're looking at
-b, --banner displays banner + version of testssl.sh
-v, --version same as previous
-V, --local pretty print all local ciphers
-V, --local <pattern> which local ciphers with <pattern> are available?
(if pattern not a number: word match)
URI {host,ip,URL}:<port> (port 443 is assumed unless otherwise specified)
Please be careful: if checks for the IP address might not hit the vhost you want.
pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits
protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl)
--file <fname> Mass testing option: Reads command lines from <fname> in plaintext format, one line per instance.
Comments via # allowed, EOF signals end of <fname>. Implicitly turns on "--warnings batch".
Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked.
Besides having individual command line options per line in the supplied file you can additionally specify options on the command line.
The command line options in the file and on the command line must not conflict.
Alternatively <fname> can be in nmap's grep(p)able output format (-oG). Only open ports will be considered. Currently only 1x port per line is allowed.
The ports can be different per line, however per mass testing run they can be either STARTTLS enabled ports OR plain TLS/SSL ports, not both.
nmap returns in that output always IP addresses and -- only if there's a PTR DNS record available -- a hostname.
Unfortunately this hostname from nmap is not checked whether it matches the IP (A or AAAA record). testssl.sh does this for you:
if the A record of the hostname matches the IP address, the hostname is used and not the IP address.
Please be careful: checks against an IP address might not hit the vhost you aimed at.
--mode <serial|parallel> Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter)
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol>
--xmpphost <to_domain> for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx <domain/host> tests MX records from high to low priority (STARTTLS, port 25)
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
testssl.sh URI (testssl.sh URI does everything except -E)
-e, --each-cipher checks each local cipher remotely
-E, --cipher-per-proto checks those per protocol
-f, --ciphers checks common cipher suites
-p, --protocols checks TLS/SSL protocols
-S, --server_defaults displays the servers default picks and certificate info
-P, --preference displays the servers picks: protocol+cipher
-y, --spdy, --npn checks for SPDY/NPN
-x, --single-cipher <pattern> tests matched <pattern> of ciphers
(if <pattern> not a number: word match)
-U, --vulnerable tests all vulnerabilities
-B, --heartbleed tests for heartbleed vulnerability
-I, --ccs, --ccs-injection tests for CCS injection vulnerability
-R, --renegotiation tests for renegotiation vulnerabilities
-C, --compression, --crime tests for CRIME vulnerability
-T, --breach tests for BREACH vulnerability
-O, --poodle tests for POODLE (SSL) vulnerability
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
-F, --freak tests for FREAK vulnerability
-A, --beast tests for BEAST vulnerability
-J, --logjam tests for LOGJAM vulnerability
-s, --pfs, --fs,--nsa checks (perfect) forward secrecy settings
-4, --rc4, --appelbaum which RC4 ciphers are being offered?
-H, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
Some can also be preset via environment variables.
--bugs enables the "-bugs" option of s_client and some other workarounds. This could be needed e.g. for some buggy F5 loadbalancers
--assuming-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh
--proxy <host>:<port> connect via the specified HTTP proxy
-6 Use also IPv6 checks. This works only with a supporting OpenSSL binary (e.g. the one supplied) and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support.
All output options can also be preset via environment variables.
--warnings <batch|off|false> "batch" doesn't wait for keypress, "off" or "false" skips connection warning
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
--mapping <no-rfc> don't display the RFC Cipher Suite Name
--color <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
--colorblind swap green and blue in the output
--debug <0-6> 0: none
1: screen output normal but debug output in temp files.
2: list more what's going on, lists some errors of connections
3: slight hexdumps + other info
4: display bytes sent via sockets
5: display bytes received via sockets
6: whole 9 yards
A few file output options can also be preset via environment variables.
--log, --logging logs stdout to <NODE-YYYYMMDD-HHMM.log> in current working directory
--logfile <logfile> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
--jsonfile <jsonfile> additional output to JSON and output JSON to the specified file
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd
--csvfile <csvfile> set output to CSV and output CSV to the specified file
--html additional output as HTML to file <NODE>-p<port#><YYYYMMDD-HHMM>.html
--htmlfile <htmlfile> additional output as HTML to the specifed file or directory, similar to --logfile
--append if <csvfile> or <jsonfile> exists rather append then overwrite
testssl.sh testssl.sh
does a default run on https://testssl.sh (protocols, standard cipher lists, PFS, server preferences, server defaults, vulnerabilities, testing all (359 possible) ciphers, client simulation.
testssl.sh testssl.net:443
does the same default run as above with the subtle difference that testssl.net has two IPv4 addresses. Both are tested.
testssl.sh --ip=one --wide https://testssl.net:443
does the same checks as above, only (randomly) one IP address is picked. Displayed is everything where possible in wide format.
testssl.sh -t smtp smtp.gmail.com:25
implicilty does a STARTTLS handshake on the plain text port, then check the IPs @ smtp.gmail.com.
testssl.sh --starttls=imap imap.gmx.net:143
does the same on the plain text IMAP port. Please note that for plain TLS-encrypted ports you must not specify the protocol option: testssl.sh smtp.gmail.com:465 tests the encryption on the SMTPS port, testssl.sh imap.gmx.net:993 on the IMAPS port.
0 testssl.sh finished sucessfully
245 no bash used or called with sh
249 temp file generation problem
251 feature not yet supported
252 no DNS resolver found or not executable / proxy couldn't be determined from given values / -xmpphost supplied but OPENSSL too old
253 no SSL/TLS enabled server / OPENSSL too old / couldn't connect to proxy / couldn't connect via STARTTLS
254 no OPENSSL found or not exexutable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable
fixme
*etc/pem Certificate stores from Linux, Mozilla Firefox, Windows 7, JDK 8
etc/mapping-rfc.txt provides a file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs
Developed by Dirk Wetter and others, see https://github.com/drwetter/testssl.sh/blob/master/CREDITS.md
Copyright © 2014 Dirk Wetter. License GPLv2: Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it under the terms of the license. Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!
Known ones and interface for filing new ones: https://testssl.sh/bugs.
ciphers(1), openssl(1)