TestSSL.sh is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
testssl.sh is pretty much portable/compatible. It is working on every Linux, Mac OS X, FreeBSD distribution, on MSYS2/Cygwin. It is supposed also to work on any other unixoid systems. A newer OpenSSL version (1.0) is needed though. /bin/bash is a prerequisite – otherwise there would be no sockets.
- Clear output: you can tell easily whether anything is good or bad
- Ease of installation: It works for Linux, Darwin, FreeBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
- Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443
- Toolbox: Several command line options help you to run YOUR test and configure YOUR output
- Reliability: features are tested thoroughly
- Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you’ll get a warning
- Privacy: It’s only you who sees the result, not a third party
- Freedom: It’s 100% open source. You can look at the code, see what’s going on and you can change it.
- Heck, even the development is open (github)
- Display matching host key (HPKP)
- LOGJAM 1: check DHE_EXPORT cipher
- LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
- “Wide mode” option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
- Binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
- OS X binaries (@jvehent, new builds: @jpluimers)
- ARM binary (@f-s)
- FreeBSD binary
- TLS_FALLBACK_SCSV check — thx @JonnyHightower
- (HTTP) proxy support! Also with sockets — thx @jnewbigin
- Extended validation certificate detection
- Run in default mode through all ciphers at the end of a default run
- Will test multiple IP adresses of one supplied server name in one shot, –ip= restricts it accordingly
New mass testing file option –file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696
- TLS time and HTTP time stamps
- TLS time displayed also for STARTTLS protocols
- Support of sockets for STARTTLS protocols
- TLS 1.0-1.1 as socket checks per default in production
- Further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
- Can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
- Quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
- Lots of fixes, code improvements, even more robust
More Information: here
[button size=large style=round color=red align=none url=https://github.com/drwetter/testssl.sh]Download TestSSL.sh v2.6[/button]
Thanks to Dirk Wetter, for sharing this tool with us.