testssl
Test TLS/SSL encryption of a server
TLDR
Test a server (run every check) on port 443
Test a different port
Only check available protocols
Only check vulnerabilities
Only check HTTP security headers
Test other STARTTLS enabled protocols
SYNOPSIS
testssl.sh [OPTIONS] <TARGET>
PARAMETERS
-h, --help
Displays the command's help message and exits.
-v, --version
Shows the version information of testssl.
-p, --protocols
Tests all supported SSL/TLS protocols, reporting which ones are enabled.
-e, --each-cipher
Tests each cipher separately, providing detailed output for every supported cipher.
-S, --suites
Shows all supported ciphers, grouped by protocol.
-B, --heartbleed
Specifically checks for the Heartbleed vulnerability.
-D, --drown
Checks for the DROWN vulnerability, which affects servers allowing SSLv2 connections.
-L, --logjam
Tests for the Logjam vulnerability, related to weak Diffie-Hellman key exchange.
--ip=<ip>
Connects to a specific IP address of the target, useful for multi-homed servers.
--starttls <protocol>
Tests STARTTLS support for specified protocols (e.g., smtp, imap, xmpp).
--json, --jsonfile=<file>
Outputs results in JSON format, optionally writing to a specified file. Ideal for programmatic parsing.
--html, --htmlfile=<file>
Outputs results in HTML format, optionally writing to a specified file. Suitable for reports.
--quiet, -q
Suppresses all output except for the final results summary.
DESCRIPTION
testssl is a robust, free, and command-line driven tool for checking a server's SSL/TLS (Secure Sockets Layer/Transport Layer Security) configuration. It performs a deep analysis of cryptographic protocols, ciphers, and security flaws, helping administrators identify and mitigate potential vulnerabilities such as Heartbleed, POODLE, BEAST, FREAK, Logjam, DROWN, and ROBOT. Beyond vulnerability detection, it also scrutinizes certificate details, server preferences, renegotiation capabilities, HSTS implementation, and OCSP stapling, providing a detailed, color-coded report. Its broad support for IPv4/IPv6 and STARTTLS (for protocols like SMTP, XMPP, LDAP, POP3, IMAP, FTP, RDP, PostgreSQL, MySQL) makes it an invaluable tool for ensuring comprehensive server security and compliance.
CAVEATS
testssl can be resource-intensive and time-consuming for full scans, especially on large numbers of targets.
It relies on an external openssl installation; its capabilities are limited by the features compiled into the local openssl version.
Not typically included in standard Linux distributions' repositories, often requiring manual installation from its GitHub repository.
Some deep vulnerability checks might trigger intrusion detection/prevention systems (IDS/IPS).
EXTENSIVE VULNERABILITY CHECKS
testssl is renowned for its comprehensive suite of built-in checks for a vast array of known SSL/TLS vulnerabilities, including but not limited to Heartbleed, POODLE, BEAST, CRIME, FREAK, Logjam, DROWN, SWEET32, and ROBOT. This makes it an indispensable tool for quickly assessing a server's resilience against common and historical cryptographic attacks.
FLEXIBLE OUTPUT FORMATS
Beyond its default human-readable, color-coded terminal output, testssl supports various output formats. Users can generate results in JSON for easy programmatic integration and parsing, or in HTML for convenient reporting and archival, enhancing its utility in automated security pipelines and documentation.
BROAD PROTOCOL SUPPORT INCLUDING STARTTLS
A key strength of testssl is its ability to test SSL/TLS configurations not just for HTTPS, but also for a wide range of other protocols via STARTTLS. This includes services like SMTP, IMAP, POP3, FTP, XMPP, LDAP, RDP, PostgreSQL, and MySQL, ensuring a holistic security assessment across an organization's entire service landscape.
HISTORY
testssl.sh was initially developed by Dirk Wetter in 2012 as a robust tool for SSL/TLS server auditing. Its comprehensive feature set, ease of use, and continuous updates, incorporating new vulnerabilities and best practices, quickly propelled it to become a widely adopted standard for security professionals and system administrators worldwide. Its development remains active, ensuring it stays current with evolving cryptographic threats.