vFeed


Tools

Published on June 8th, 2016 | by MaxiSoler

0

TestSSL.sh v2.6 – Command Line Tool for TLS/SSL

TestSSL.sh is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

testssl.sh is pretty much portable/compatible. It is working on every Linux, Mac OS X, FreeBSD distribution, on MSYS2/Cygwin. It is supposed also to work on any other unixoid systems. A newer OpenSSL version (1.0) is needed though. /bin/bash is a prerequisite – otherwise there would be no sockets.

 

Features:

  • Clear output: you can tell easily whether anything is good or bad
  • Ease of installation: It works for Linux, Darwin, FreeBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
  • Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443
  • Toolbox: Several command line options help you to run YOUR test and configure YOUR output
  • Reliability: features are tested thoroughly
  • Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you’ll get a warning
  • Privacy: It’s only you who sees the result, not a third party
  • Freedom: It’s 100% open source. You can look at the code, see what’s going on and you can change it.
  • Heck, even the development is open (github)

 

Changelog v2.6

  • Display matching host key (HPKP)
  • LOGJAM 1: check DHE_EXPORT cipher
  • LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
  • “Wide mode” option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
  • Binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
  • OS X binaries (@jvehent, new builds: @jpluimers)
  • ARM binary (@f-s)
  • FreeBSD binary
  • TLS_FALLBACK_SCSV check — thx @JonnyHightower
  • (HTTP) proxy support! Also with sockets — thx @jnewbigin
  • Extended validation certificate detection
  • Run in default mode through all ciphers at the end of a default run
  • Will test multiple IP adresses of one supplied server name in one shot, –ip= restricts it accordingly
    New mass testing file option –file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696
  • TLS time and HTTP time stamps
  • TLS time displayed also for STARTTLS protocols
  • Support of sockets for STARTTLS protocols
  • TLS 1.0-1.1 as socket checks per default in production
  • Further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
  • Can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
  • Quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
  • Lots of fixes, code improvements, even more robust

More Information: here

Thanks to Dirk Wetter, for sharing this tool with us.

Tags: , , , ,


About the Author

www.artssec.com @maxisoler



Back to Top ↑