testssl

TLDR

Test server

$ testssl [example.com]

Test specific port

$ testssl [example.com:8443]

Quick test

$ testssl --fast [example.com]

Show all ciphers

$ testssl -E [example.com]

Check vulnerabilities only

$ testssl -U [example.com]

HTML output

$ testssl --html [example.com]

JSON output

$ testssl --jsonfile [output.json] [example.com]

Quiet mode

$ testssl --quiet [example.com]

SYNOPSIS

testssl [-E] [-U] [--fast] [--html] [--jsonfile file] [options] target

testssl checks TLS/SSL encryption on servers. It identifies vulnerabilities, weak ciphers, and configuration problems.
Protocol testing shows which TLS versions are enabled. Old protocols (SSLv3, TLS 1.0, TLS 1.1) are security risks.
Vulnerability scanning checks for BEAST, POODLE, Heartbleed, ROBOT, and other known attacks.
Cipher analysis reveals weak encryption. Export ciphers, NULL encryption, and RC4 are flagged.
Certificate inspection shows validity, chain, and trust issues. It identifies expiring, self-signed, or misconfigured certificates.
The tool is a bash script requiring OpenSSL. It works on any Unix-like system without installation.

PARAMETERS

-E, --each-cipher

Test each cipher.

-e, --cipher-per-proto

Ciphers per protocol.

-U, --vulnerable

Vulnerability checks.

-S, --server-defaults

Server defaults.

-P, --protocols

Protocol support.

-H, --headers

HTTP headers.

--fast

Quick check.

--html

HTML output.

--jsonfile FILE

JSON output.

--csvfile FILE

CSV output.

--quiet

Minimal output.

--color N

Color mode (0-3).

--connect-timeout SEC

Connection timeout.

--openssl PATH

Custom OpenSSL path.

CAVEATS

Thorough scans take time. Some checks may trigger IDS. Depends on OpenSSL version for some tests. Not all vulnerabilities detectable remotely.

HISTORY

testssl.sh was created by Dirk Wetter starting around 2012. It provides comprehensive TLS testing without requiring complex setup, becoming a standard tool for security assessments.