-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Man page
testssl.sh -- check encryption of SSL/TLS servers
testssl.sh [OPTIONS]... [FILE|URI]...
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as cryptographic flaws and much more.
Options are either short or long options. All options requiring a value can be called with or without '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI> is equivalent to testssl.sh --starttls smtp --wide --openssl /usr/bin/openssl <URI>. Some options can also be preset via ENV variables. WIDE=true OPENSSL=/usr/bin/openssl testssl.sh --starttls smtp <URI> would be the equivalent to the aforementioned examples. Preference has the command line over ENV.
<URI> or <FILE> needs always to be the last parameter.
-h, --help command line help
-b, --banner displays testssl.sh banner, including license, usage conditions, version of testssl.sh, detected openssl version, its path to it, # of ciphers of openssl, its build date and the architecture
-v, --version same as before
-V, --local <pattern>
-V, --local pretty print all local ciphers supported by openssl version. If a pattern is supplied it performs a match (ignore case) on any of the strings supplied in the wide output, see below. The pattern will be searched in the any of the columns: hexcode, cipher suite name (OpenSSL or RFC), key exchange, encryption, bits. It does a word pattern match for non-numbers, for number just a normal match applies. Numbers here are defined as [0-9,A-F]. This means (attention: catch) that the pattern CBC is matched as non-word, but AES as word.
URI can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. For any given parameter port 443 is assumed unless otherwise specified as <:port>. The only preceding protocol specifier allowed is https. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an /etc/hosts entry for the hostname.
--file <fname> is the mass testing option. Per default it implicitly turns on --warnings batch.
In its first incarnation the mass testing option reads command lines from <fname>. <fname> consists of command lines of testssl, one line per instance. Comments after # are ignored, EOF signals the end of <fname>. When invoking testssl.sh --file <fname> you can also supply additional options which will be inherited to each child. The commands are parsed upon execution. So if there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies.
Alternatively <fname> can be in nmap's grep(p)able output format (-oG). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, .i.e. if nmap shows in its output an open port 25, automatically -t smtp will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront.
The nmap output always returns IP addresses and -- only if there's a PTR DNS record available -- a hostname. Unfortunately it is not checked by nmap whether it matches the IP (A or AAAA record). testssl.sh does this for you and if the A record of the hostname matches the IP address, the hostname is used and not the IP address. As stated above, checks against an IP address might not hit the vhost you maybe was aiming at.
--mode <serial|parallel>. Mass testing to be done serial (default) or parallel (--parallel is shortcut for the latter, --serial is the opposite option). Per default mass testing is being run in serial mode, i.e. one line after the other is processed and invoked.
-t, --starttls <protocol> does a default run against a STARTTLS enabled <protocol>. <protocol> is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap, postgres For the latter three two you need e.g. the supplied openssl.
--xmpphost <jabber_domain> is an additional option for STARTTLS, specifically for STARTTLS enabled XMPP: It expects as a parameter the jabber domain. This is only needed if the domain is different from the URI supplied.
--mx <domain/host> tests all MX records (STARTTLS, port 25) from high to low priority one after the other.
--ip <ip> a) tests either the supplied IPv4 or IPv6 address instead of resolving host(s) in URI. b) --ip=one means: just test the first DNS returns (useful for multiple IPs). It's also useful if you want to resolve the supplied hostname to a different IP, similar as if you would edit /etc/hosts.
testssl.sh URI (testssl.sh URI does everything except -E)
-e, --each-cipher checks each local cipher remotely
-E, --cipher-per-proto checks those per protocol
-f, --ciphers checks common cipher suites
-p, --protocols checks TLS/SSL protocols
-S, --server_defaults displays the servers default picks and certificate info
-P, --preference displays the servers picks: protocol+cipher
-y, --spdy, --npn checks for SPDY/NPN
-x, --single-cipher <pattern> tests matched <pattern> of ciphers
(if <pattern> not a number: word match)
-U, --vulnerable tests all vulnerabilities
-B, --heartbleed tests for heartbleed vulnerability
-I, --ccs, --ccs-injection tests for CCS injection vulnerability
-R, --renegotiation tests for renegotiation vulnerabilities
-C, --compression, --crime tests for CRIME vulnerability
-T, --breach tests for BREACH vulnerability
-O, --poodle tests for POODLE (SSL) vulnerability
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
-F, --freak tests for FREAK vulnerability
-A, --beast tests for BEAST vulnerability
-J, --logjam tests for LOGJAM vulnerability
-s, --pfs, --fs,--nsa checks (perfect) forward secrecy settings
-4, --rc4, --appelbaum which RC4 ciphers are being offered?
-H, --header, --headers tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
Some can also be preset via environment variables.
--bugs enables the "-bugs" option of s_client and some other workarounds. This could be needed e.g. for some buggy F5 loadbalancers
--assuming-http if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH> use this openssl binary (default: look in $PATH, $RUN_DIR of testssl.sh
--proxy <host>:<port> connect via the specified HTTP proxy
-6 Use also IPv6 checks. This works only with a supporting OpenSSL binary (e.g. the one supplied) and IPv6 connectivity. testssl.sh does no connectivity checks for IPv6, it also cannot determine reliably whether the OpenSSL binary you are using has IPv6 support.
All output options can also be preset via environment variables.
--warnings <batch|off|false> "batch" doesn't wait for keypress, "off" or "false" skips connection warning
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
--mapping <no-rfc> don't display the RFC Cipher Suite Name
--color <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
--colorblind swap green and blue in the output
--debug <0-6> 0: none
1: screen output normal but debug output in temp files.
2: list more what's going on, lists some errors of connections
3: slight hexdumps + other info
4: display bytes sent via sockets
5: display bytes received via sockets
6: whole 9 yards
A few file output options can also be preset via environment variables.
--log, --logging logs stdout to <NODE-YYYYMMDD-HHMM.log> in current working directory
--logfile <logfile> logs stdout to <file/NODE-YYYYMMDD-HHMM.log> if file is a dir or to specified log file
--json additional output of findings to JSON file <NODE-YYYYMMDD-HHMM.json> in cwd
--jsonfile <jsonfile> additional output to JSON and output JSON to the specified file
--csv additional output of findings to CSV file <NODE-YYYYMMDD-HHMM.csv> in cwd
--csvfile <csvfile> set output to CSV and output CSV to the specified file
--html additional output as HTML to file <NODE>-p<port#><YYYYMMDD-HHMM>.html
--htmlfile <htmlfile> additional output as HTML to the specifed file or directory, similar to --logfile
--append if <csvfile> or <jsonfile> exists rather append then overwrite
testssl.sh testssl.sh
does a default run on https://testssl.sh (protocols, standard cipher lists, PFS, server preferences, server defaults, vulnerabilities, testing all (359 possible) ciphers, client simulation.
testssl.sh testssl.net:443
does the same default run as above with the subtle difference that testssl.net has two IPv4 addresses. Both are tested.
testssl.sh --ip=one --wide https://testssl.net:443
does the same checks as above, only (randomly) one IP address is picked. Displayed is everything where possible in wide format.
testssl.sh -t smtp smtp.gmail.com:25
implicilty does a STARTTLS handshake on the plain text port, then check the IPs @ smtp.gmail.com.
testssl.sh --starttls=imap imap.gmx.net:143
does the same on the plain text IMAP port. Please note that for plain TLS-encrypted ports you must not specify the protocol option: testssl.sh smtp.gmail.com:465 tests the encryption on the SMTPS port, testssl.sh imap.gmx.net:993 on the IMAPS port.
0 testssl.sh finished sucessfully
245 no bash used or called with sh
249 temp file generation problem
251 feature not yet supported
252 no DNS resolver found or not executable / proxy couldn't be determined from given values / -xmpphost supplied but OPENSSL too old
253 no SSL/TLS enabled server / OPENSSL too old / couldn't connect to proxy / couldn't connect via STARTTLS
254 no OPENSSL found or not exexutable / no IPv4 address could be determined / illegal STARTTLS protocol supplied / supplied file name not readable
fixme
*etc/pem Certificate stores from Linux, Mozilla Firefox, Windows 7, JDK 8
etc/mapping-rfc.txt provides a file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs
Developed by Dirk Wetter and others, see https://github.com/drwetter/testssl.sh/blob/master/CREDITS.md
Copyright © 2014 Dirk Wetter. License GPLv2: Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it under the terms of the license. Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!
Known ones and interface for filing new ones: https://testssl.sh/bugs.
ciphers(1), openssl(1)