1TESTSSL(1) TESTSSL(1)
2
6 testssl
7
9 testssl -- check encryption of SSL/TLS servers
10
12 testssl [OPTIONS] <URI>, testssl [OPTIONS] --file <FILE>
13 or
15 testssl [BANNER OPTIONS]
17
19 testssl is a free command line tool which checks a server´s service on
20 any port for the support of TLS/SSL ciphers, protocols as well as cryp‐
21 tographic flaws and much more.
22 The output rates findings by color (screen) or severity (file output)
24 so that you are able to tell whether something is good or bad. The
25 (screen) output has several sections in which classes of checks are be‐
26 ing performed. To ease readability on the screen it aligns and indents
27 the output properly.
28 Only you see the result. You also can use it internally on your LAN.
30 Except DNS lookups or unless you instruct testssl to check for revoca‐
31 tion of certificates it doesn´t use any other hosts or even third par‐
32 ties for any test.
33
35 Testssl.sh is out of the box portable: it runs under any Unix-like
36 stack: Linux, *BSD, MacOS X, WSL=Windows Subsystem for Linux, Cygwin
37 and MSYS2. bash is a prerequisite, also version 3 is still supported.
38 Standard utilities like awk, sed, tr and head are also needed. This can
39 be of a BSD, System 5 or GNU flavor whereas grep from System V is not
40 yet supported.
41 Any OpenSSL or LibreSSL version is needed as a helper. Unlike previous
43 versions of testssl almost every check is done via (TCP) sockets. In
44 addition statically linked OpenSSL binaries for major operating systems
45 are supplied in ./bin/.
46
48 testssl URI as the default invocation does the so-called default run
49 which does a number of checks and puts out the results colorized (ANSI
50 and termcap) on the screen. It does every check listed below except -E
51 which are (order of appearance):
52 0) displays a banner (see below), does a DNS lookup also for further IP
54 addresses and does for the returned IP address a reverse lookup. Last
55 but not least a service check is being done.
56 1) SSL/TLS protocol check
58 2) standard cipher categories to give you upfront an idea for the ci‐
60 phers supported
61 3) checks (perfect) forward secrecy: ciphers and elliptical curves
63 4) server preferences (server order)
65 5) server defaults (certificate info, TLS extensions, session informa‐
67 tion)
68 6) HTTP header (if HTTP detected or being forced via --assume-http)
70 7) vulnerabilities
72 8) testing each of 370 preconfigured ciphers
74 9) client simulation
76
78 Options are either short or long options. Any long or short option re‐
79 quiring a value can be called with or without an equal sign. E.g.
80 testssl -t=smtp --wide --openssl=/usr/bin/openssl <URI> (short options
81 with equal sign) is equivalent to testssl --starttls smtp --wide
82 --openssl /usr/bin/openssl <URI> (long option without equal sign). Some
83 command line options can also be preset via ENV variables. WIDE=true
84 OPENSSL=/usr/bin/openssl testssl --starttls=smtp <URI> would be the
85 equivalent to the aforementioned examples. Preference has the command
86 line over any environment variables.
87 <URI> or --file <FILE> always needs to be the last parameter.
89 BANNER OPTIONS
91 --help (or no arg) display command line help
92 -b, --banner displays testssl banner, including license, usage condi‐
94 tions, version of testssl, detected openssl version, its path to it, #
95 of ciphers of openssl, its build date and the architecture.
96 -v, --version same as before
98 -V [pattern] , --local [pattern] pretty print all local ciphers sup‐
100 ported by openssl version. If a pattern is supplied it performs a match
101 (ignore case) on any of the strings supplied in the wide output, see
102 below. The pattern will be searched in the any of the columns: hexcode,
103 cipher suite name (OpenSSL or IANA), key exchange, encryption, bits. It
104 does a word pattern match for non-numbers, for number just a normal
105 match applies. Numbers here are defined as [0-9,A-F]. This means (at‐
106 tention: catch) that the pattern CBC is matched as non-word, but AES as
107 word.
108 INPUT PARAMETERS
110 URI can be a hostname, an IPv4 or IPv6 address (restriction see below)
111 or an URL. IPv6 addresses need to be in square brackets. For any given
112 parameter port 443 is assumed unless specified by appending a colon and
113 a port number. The only preceding protocol specifier allowed is https.
114 You need to be aware that checks for an IP address might not hit the
115 vhost you want. DNS resolution (A/AAAA record) is being performed un‐
116 less you have an /etc/hosts entry for the hostname.
117 --file <fname> or the equivalent -iL <fname> are mass testing options.
119 Per default it implicitly turns on --warnings batch. In its first in‐
120 carnation the mass testing option reads command lines from fname. fname
121 consists of command lines of testssl, one line per instance. Comments
122 after # are ignored, EOF signals the end of fname any subsequent lines
123 will be ignored too. You can also supply additional options which will
124 be inherited to each child, e.g. When invoking testssl --wide --log
125 --file <fname> . Each single line in fname is parsed upon execution. If
126 there´s a conflicting option and serial mass testing option is being
127 performed the check will be aborted at the time it occurs and depending
128 on the output option potentially leaving you with an output file with‐
129 out footer. In parallel mode the mileage varies, likely a line won´t be
130 scanned.
131 Alternatively fname can be in nmap´s grep(p)able output format (-oG).
133 Only open ports will be considered. Multiple ports per line are al‐
134 lowed. The ports can be different and will be tested by testssl accord‐
135 ing to common practice in the internet, i.e. if nmap shows in its out‐
136 put an open port 25, automatically -t smtp will be added before the URI
137 whereas port 465 will be treated as a plain TLS/SSL port, not requiring
138 an STARTTLS SMTP handshake upfront. This is done by an internal table
139 which correlates nmap´s open port detected to the STARTTLS/plain text
140 decision from testssl.
141 Nmap´s output always returns IP addresses and only if there´s a PTR DNS
143 record available a hostname. As it is not checked by nmap whether the
144 hostname matches the IP (A or AAAA record), testssl does this automati‐
145 cally for you. If the A record of the hostname matches the IP address,
146 the hostname is used and not the IP address. Please keep in mind that
147 checks against an IP address might not hit the vhost you maybe were
148 aiming at and thus it may lead to different results.
149 A typical internal conversion to testssl file format from nmap´s
151 grep(p)able format could look like:
152 10.10.12.16:443
156 10.10.12.16:1443
157 -t smtp host.example.com:25
158 host.example.com:443
159 host.example.com:631
160 -t ftp 10.10.12.11:21
161 10.10.12.11:8443
162 Please note that fname has to be in Unix format. DOS carriage returns
166 won´t be accepted. Instead of the command line switch the environment
167 variable FNAME will be honored too.
168 --mode <serial|parallel>. Mass testing to be done serial (default) or
170 parallel (--parallel is shortcut for the latter, --serial is the oppo‐
171 site option). Per default mass testing is being run in serial mode,
172 i.e. one line after the other is processed and invoked. The variable
173 MASS_TESTING_MODE can be defined to be either equal serial or parallel.
174 --warnings <batch|off>. The warnings parameter determines how testssl
176 will deal with situations where user input normally will be necessary.
177 There are two options. batch doesn´t wait for a confirming keypress
178 when a client- or server-side problem is encountered. As of 3.0 it just
179 then terminates the particular scan. This is automatically chosen for
180 mass testing (--file). off just skips the warning, the confirmation but
181 continues the scan, independent whether it makes sense or not. Please
182 note that there are conflicts where testssl will still ask for confir‐
183 mation which are the ones which otherwise would have a drastic impact
184 on the results. Almost any other decision will be made in the future as
185 a best guess by testssl. The same can be achieved by setting the envi‐
186 ronment variable WARNINGS.
187 --connect-timeout <seconds> This is useful for socket TCP connections
189 to a node. If the node does not complete a TCP handshake (e.g. because
190 it is down or behind a firewall or there´s an IDS or a tarpit) testssl
191 may usually hang for around 2 minutes or even much more. This parameter
192 instructs testssl to wait at most seconds for the handshake to complete
193 before giving up. This option only works if your OS has a timeout bi‐
194 nary installed. CONNECT_TIMEOUT is the corresponding environment vari‐
195 able.
196 --openssl-timeout <seconds> This is especially useful for all connects
198 using openssl and practically useful for mass testing. It avoids the
199 openssl connect to hang for ~2 minutes. The expected parameter seconds
200 instructs testssl to wait before the openssl connect will be termi‐
201 nated. The option is only available if your OS has a timeout binary in‐
202 stalled. As there are different implementations of timeout: It automat‐
203 ically calls the binary with the right parameters. OPENSSL_TIMEOUT is
204 the equivalent environment variable.
205 --basicauth <user:pass> This can be set to provide HTTP basic auth cre‐
207 dentials which are used during checks for security headers. BASICAUTH
208 is the ENV variable you can use instead.
209 SPECIAL INVOCATIONS
211 -t <protocol>, --starttls <protocol> does a default run against a
212 STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3,
213 imap, xmpp, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the
214 latter four you need e.g. the supplied OpenSSL or OpenSSL version
215 1.1.1. Please note: MongoDB doesn´t offer a STARTTLS connection, LDAP
216 currently only works with --ssl-native. telnet and irc is WIP.
217 --xmpphost <jabber_domain> is an additional option for STARTTLS enabled
219 XMPP: It expects the jabber domain as a parameter. This is only needed
220 if the domain is different from the URI supplied.
221 --mx <domain|host> tests all MX records (STARTTLS on port 25) from high
223 to low priority, one after the other.
224 --ip <ip> tests either the supplied IPv4 or IPv6 address instead of re‐
226 solving host(s) in <URI>. IPv6 addresses need to be supplied in square
227 brackets. --ip=one means: just test the first A record DNS returns
228 (useful for multiple IPs). If -6 and --ip=one was supplied an AAAA
229 record will be picked if available. The --ip option might be also use‐
230 ful if you want to resolve the supplied hostname to a different IP,
231 similar as if you would edit /etc/hosts or /c/Windows/System32/driv‐
232 ers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.
233 --proxy <host>:<port> does ANY check via the specified proxy.
235 --proxy=auto inherits the proxy setting from the environment. The host‐
236 name supplied will be resolved to the first A record. In addition if
237 you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP re‐
238 vocation checking (-S --phone-out) is not supported by OpenSSL via
239 proxy. As supplying a proxy is an indicator for port 80 and 443 outgo‐
240 ing being blocked in your network an OCSP revocation check won´t be
241 performed. However if IGN_OCSP_PROXY=true has been supplied it will be
242 tried directly. Authentication to the proxy is not supported. Proxying
243 via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is sup‐
244 ported.
245 -6 does (also) IPv6 checks. Please note that testssl doesn´t perform
247 checks on an IPv6 address automatically, because of two reasons:
248 testssl does no connectivity checks for IPv6 and it cannot determine
249 reliably whether the OpenSSL binary you´re using has IPv6 s_client sup‐
250 port. -6 assumes both is the case. If both conditions are met and you
251 in general prefer to test for IPv6 branches as well you can add
252 HAS_IPv6 to your shell environment. Besides the OpenSSL binary supplied
253 IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions
254 >=1.0.2 in RHEL/CentOS/FC and Gentoo.
255 --ssl-native Instead of using a mixture of bash sockets and a few
257 openssl s_client connects, testssl uses the latter (almost) only. This
258 is faster at the moment but provides less accurate results, especially
259 for the client simulation and for cipher support. For all checks you
260 will see a warning if testssl cannot tell if a particular check cannot
261 be performed. For some checks however you might end up getting false
262 negatives without a warning. This option is only recommended if you
263 prefer speed over accuracy or you know that your target has sufficient
264 overlap with the protocols and cipher provided by your openssl binary.
265 --openssl <path_to_openssl> testssl tries very hard to find automagi‐
267 cally the binary supplied (where the tree of testssl resides, from the
268 directory where testssl has been started from, etc.). If all that
269 doesn´t work it falls back to openssl supplied from the OS ($PATH).
270 With this option you can point testssl to your binary of choice and
271 override any internal magic to find the openssl binary. (Environment
272 preset via OPENSSL=<path_to_openssl>).
273 TUNING OPTIONS
275 --bugs does some workarounds for buggy servers like padding for old F5
276 devices. The option is passed as -bug to openssl when needed, see
277 s_client(1), environment preset via BUGS="-bugs" (1x dash). For the
278 socket part testssl has always workarounds in place to cope with broken
279 server implementations.
280 --assuming-http testssl normally does upfront an application protocol
282 detection. In cases where HTTP cannot be automatically detected you may
283 want to use this option. It enforces testssl not to skip HTTP specific
284 tests (HTTP header) and to run a browser based client simulation.
285 Please note that sometimes also the severity depends on the application
286 protocol, e.g. SHA1 signed certificates, the lack of any SAN matches
287 and some vulnerabilities will be punished harder when checking a web
288 server as opposed to a mail server.
289 -n, --nodns <min|none> tells testssl which DNS lookups should be per‐
291 formed. min uses only forward DNS resolution (A and AAAA record or MX
292 record) and skips CAA lookups and PTR records from the IP address back
293 to a DNS name. none performs no DNS lookups at all. For the latter you
294 either have to supply the IP address as a target, to use --ip or have
295 the IP address in /etc/hosts. The use of the switch is only useful if
296 you either can´t or are not willing to perform DNS lookups. The latter
297 can apply e.g. to some pentests. In general this option could e.g. help
298 you to avoid timeouts by DNS lookups. NODNS is the environment variable
299 for this.
300 --sneaky For HTTP header checks testssl uses normally the server
302 friendly HTTP user agent TLS tester from ${URL}. With this option your
303 traces are less verbose and a Firefox user agent is being used. Be
304 aware that it doesn´t hide your activities. That is just not possible
305 (environment preset via SNEAKY=true).
306 --ids-friendly is a switch which may help to get a scan finished which
308 otherwise would be blocked by a server side IDS. This switch skips
309 tests for the following vulnerabilities: Heartbleed, CCS Injection,
310 Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false
311 will achieve the same result. Please be advised that as an alternative
312 or as a general approach you can try to apply evasion techniques by
313 changing the variables USLEEP_SND and / or USLEEP_REC and maybe
314 MAX_WAITSOCK.
315 --phone-out Checking for revoked certificates via CRL and OCSP is not
317 done per default. This switch instructs testssl to query external -- in
318 a sense of the current run -- URIs. By using this switch you acknowl‐
319 edge that the check might have privacy issues, a download of several
320 megabytes (CRL file) may happen and there may be network connectivity
321 problems while contacting the endpoint which testssl doesn´t handle.
322 PHONE_OUT is the environment variable for this which needs to be set to
323 true if you want this.
324 --add-ca <cafile> enables you to add your own CA(s) for trust chain
326 checks. cafile can be a single path or multiple paths as a comma sepa‐
327 rated list of root CA files. Internally they will be added during run‐
328 time to all CA stores. This is (only) useful for internal hosts whose
329 certificates is issued by internal CAs. Alternatively ADDI‐
330 TIONAL_CA_FILES is the environment variable for this.
331 SINGLE CHECK OPTIONS
333 Any single check switch supplied as an argument prevents testssl from
334 doing a default run. It just takes this and if supplied other options
335 and runs them - in the order they would also appear in the default run.
336 -e, --each-cipher checks each of the (currently configured) 370 ciphers
338 via openssl + sockets remotely on the server and reports back the re‐
339 sult in wide mode. If you want to display each cipher tested you need
340 to add --show-each. Per default it lists the following parameters: hex‐
341 code, OpenSSL cipher suite name, key exchange, encryption bits,
342 IANA/RFC cipher suite name. Please note the --mapping parameter changes
343 what cipher suite names you will see here and at which position. Also
344 please note that the bit length for the encryption is shown and not the
345 security length, albeit it´ll be sorted by the latter. For 3DES due to
346 the Meet-in-the-Middle problem the bit size of 168 bits is equivalent
347 to the security size of 112 bits.
348 -E, --cipher-per-proto is similar to -e, --each-cipher. It checks each
350 of the possible ciphers, here: per protocol. If you want to display
351 each cipher tested you need to add --show-each. The output is sorted by
352 security strength, it lists the encryption bits though.
353 -s, --std, --standard tests certain lists of cipher suites / cipher
355 categories by strength. Those lists are (openssl ciphers $LIST, $LIST
356 from below:)
357 • NULL encryption ciphers: ´NULL:eNULL´
359 • Anonymous NULL ciphers: ´aNULL:ADH´
361 • Export ciphers (w/o the preceding ones): ´EXPORT:!ADH:!NULL´
363 • LOW (64 Bit + DES ciphers, without EXPORT ciphers):
365 ´LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL´
366 • 3DES + IDEA Ciphers: ´3DES:IDEA:!aNULL:!ADH´
368 • Average grade Ciphers: ´HIGH:MEDIUM:AES:CAMEL‐
370 LIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AES‐
371 GCM:!ARIAGCM:!aNULL´
372 • Strong grade Ciphers (AEAD): ´AESGCM:CHACHA20:CamelliaGCM:AESCCM´
374 -f, --pfs, --fs,--nsa Checks robust (perfect) forward secrecy key ex‐
378 change. "Robust" means that ciphers having intrinsic severe weaknesses
379 like Null Authentication or Encryption, 3DES and RC4 won´t be consid‐
380 ered here. There shouldn´t be the wrong impression that a secure key
381 exchange has been taking place and everything is fine when in reality
382 the encryption sucks. Also this section lists the available elliptical
383 curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and
384 TLS 1.3).
385 -p, --protocols checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 through
387 TLS 1.3 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2. For TLS 1.3
388 several drafts (from 18 on) and final are supported and being tested
389 for.
390 -P, --preference displays the servers preferences: cipher order, with
392 used openssl client: negotiated protocol and cipher. If there´s a ci‐
393 pher order enforced by the server it displays it for each protocol
394 (openssl+sockets). If there´s not, it displays instead which ciphers
395 from the server were picked with each protocol.
396 -S, --server_defaults displays information from the server hello(s):
398 • Available TLS extensions,
400 • TLS ticket + session ID information/capabilities,
402 • session resumption capabilities,
404 • Time skew relative to localhost (most server implementations return
406 random values).
407 • Several certificate information
409 • signature algorithm,
411 • key size,
413 • key usage and extended key usage,
415 • fingerprints and serial
417 • Common Name (CN), Subject Alternative Name (SAN), Issuer,
419 • Trust via hostname + chain of trust against supplied certifi‐
421 cates
422 • EV certificate detection
424 • experimental "eTLS" detection
426 • validity: start + end time, how many days to go (warning for
428 certificate lifetime >=5 years)
429 • revocation info (CRL, OCSP, OCSP stapling + must staple). When
431 --phone-out supplied it checks against the certificate issuer
432 whether the host certificate has been revoked (plain OCSP,
433 CRL).
434 • displaying DNS Certification Authority Authorization resource
436 record
437 • Certificate Transparency info (if provided by server).
439 For the trust chain check 5 certificate stores are provided. If the
446 test against one of the trust stores failed, the one is being identi‐
447 fied and the reason for the failure is displayed - in addition the ones
448 which succeeded are displayed too. You can configure your own CA via
449 ADDITIONAL_CA_FILES, see section FILES below. If the server provides no
450 matching record in Subject Alternative Name (SAN) but in Common Name
451 (CN), it will be indicated as this is deprecated. Also for multiple
452 server certificates are being checked for as well as for the certifi‐
453 cate reply to a non-SNI (Server Name Indication) client hello to the IP
454 address. Regarding the TLS clock skew: it displays the time difference
455 to the client. Only a few TLS stacks nowadays still support this and
456 return the local clock gmt_unix_time, e.g. IIS, openssl < 1.0.1f. In
457 addition to the HTTP date you could e.g. derive that there are differ‐
458 ent hosts where your TLS and your HTTP request ended -- if the time
459 deltas differ significantly.
460 -x <pattern>, --single-cipher <pattern> tests matched pattern of ci‐
462 phers against a server. Patterns are similar to -V pattern , --local
463 pattern, see above about matching.
464 -h, --header, --headers if the service is HTTP (either by detection or
466 by enforcing via --assume-http. It tests several HTTP headers like
467 • HTTP Strict Transport Security (HSTS)
469 • HTTP Public Key Pinning (HPKP)
471 • Server banner
473 • HTTP date+time
475 • Server banner like Linux or other Unix vendor headers
477 • Application banner (PHP, RoR, OWA, SharePoint, Wordpress, etc)
479 • Reverse proxy headers
481 • Web server modules
483 • IPv4 address in header
485 • Cookie (including Secure/HTTPOnly flags)
487 • Decodes BIG IP F5 non-encrypted cookies
489 • Security headers (X-Frame-Options, X-XSS-Protection, Expect-CT,...
491 , CSP headers). Nonsense is not yet detected here.
492 -c, --client-simulation This simulates a handshake with a number of
496 standard clients so that you can figure out which client cannot or can
497 connect to your site. For the latter case the protocol, cipher and
498 curve is displayed, also if there´s Forward Secrecy. testssl uses a
499 handselected set of clients which are retrieved by the SSLlabs API. The
500 output is aligned in columns when combined with the --wide option. If
501 you want the full nine yards of clients displayed use the environment
502 variable ALL_CLIENTS.
503 -g, --grease checks several server implementation bugs like tolerance
505 to size limitations and GREASE, see https://www.ietf.org/ar‐
506 chive/id/draft-ietf-tls-grease-01.txt . This checks doesn´t run per de‐
507 fault.
508 VULNERABILITIES
510 -U, --vulnerable, --vulnerabilities Just tests all (of the following)
511 vulnerabilities. The environment variable VULN_THRESHLD determines af‐
512 ter which value a separate headline for each vulnerability is being
513 displayed. Default is 1 which means if you check for two vulnerabili‐
514 ties, only the general headline for vulnerabilities section is dis‐
515 played -- in addition to the vulnerability and the result. Otherwise
516 each vulnerability or vulnerability section gets its own headline in
517 addition to the output of the name of the vulnerability and test re‐
518 sult. A vulnerability section is comprised of more than one check, e.g.
519 the renegotiation vulnerability check has two checks, so has Logjam.
520 -H, --heartbleed Checks for Heartbleed, a memory leakage in openssl.
522 Unless the server side doesn´t support the heartbeat extension it is
523 likely that this check runs into a timeout. The seconds to wait for a
524 reply can be adjusted with HEARTBLEED_MAX_WAITSOCK. 8 is the default.
525 -I, --ccs, --ccs-injection Checks for CCS Injection which is an openssl
527 vulnerability. Sometimes also here the check needs to wait for a reply.
528 The predefined timeout of 5 seconds can be changed with the environment
529 variable CCS_MAX_WAITSOCK.
530 -T, --ticketbleed Checks for Ticketbleed memory leakage in BigIP load‐
532 balancers.
533 -BB, --robot Checks for vulnerability to ROBOT / (Return Of Bleichen‐
535 bacher´s Oracle Threat) attack.
536 -R, --renegotiation Tests renegotiation vulnerabilities. Currently
538 there´s a check for Secure Renegotiation and for Secure Client-Initi‐
539 ated Renegotiation. Please be aware that vulnerable servers to the lat‐
540 ter can likely be DoSed very easily (HTTP). A check for Insecure
541 Client-Initiated Renegotiation is not yet implemented.
542 -C, --compression, --crime Checks for CRIME (Compression Ratio
544 Info-leak Made Easy) vulnerability in TLS. CRIME in SPDY is not yet be‐
545 ing checked for.
546 -B, --breach Checks for BREACH (Browser Reconnaissance and Exfiltration
548 via Adaptive Compression of Hypertext) vulnerability. As for this vul‐
549 nerability HTTP level compression is a prerequisite it´ll be not tested
550 if HTTP cannot be detected or the detection is not enforced via `--as‐
551 sume-http. Please note that only the URL supplied (normally "/" ) is
552 being tested.
553 -O, --poodle Tests for SSL POODLE (Padding Oracle On Downgraded Legacy
555 Encryption) vulnerability. It basically checks for the existence of CBC
556 ciphers in SSLv3.
557 -Z, --tls-fallback Checks TLS_FALLBACK_SCSV mitigation. TLS_FALL‐
559 BACK_SCSV is basically a ciphersuite appended to the Client Hello try‐
560 ing to prevent protocol downgrade attacks by a Man in the Middle.
561 -W, --sweet32 Checks for vulnerability to SWEET32 by testing 64 bit
563 block ciphers (3DES, RC2 and IDEA).
564 -F, --freak Checks for FREAK vulnerability (Factoring RSA Export Keys)
566 by testing for EXPORT RSA ciphers
567 -D, --drown Checks for DROWN vulnerability (Decrypting RSA with Obso‐
569 lete and Weakened eNcryption) by checking whether the SSL 2 protocol is
570 available at the target. Please note that if you use the same RSA cer‐
571 tificate elsewhere you might be vulnerable too. testssl doesn´t check
572 for this but provides a helpful link @ censys.io which provides this
573 service.
574 -J, --logjam Checks for LOGJAM vulnerability by checking for DH EXPORT
576 ciphers. It also checks for "common primes" which are preconfigured DH
577 keys. DH keys =< 1024 Bit will be penalized. Also FFDHE groups (TLS
578 1.2) will be displayed here.
579 -A, --beast Checks BEAST vulnerabilities in SSL 3 and TLS 1.0 by test‐
581 ing the usage of CBC ciphers.
582 -L, --lucky13 Checks for LUCKY13 vulnerability. It checks for the pres‐
584 ence of CBC ciphers in TLS versions 1.0 - 1.2.
585 -4, --rc4, --appelbaum Checks which RC4 stream ciphers are being of‐
587 fered.
588 OUTPUT OPTIONS
590 -q, --quiet Normally testssl displays a banner on stdout with several
591 version information, usage rights and a warning. This option suppresses
592 it. Please note that by choosing this option you acknowledge usage
593 terms and the warning normally appearing in the banner.
594 --wide Except the "each cipher output" all tests displays the single
596 cipher name (scheme see below). This option enables testssl to display
597 also for the following sections the same output as for testing each ci‐
598 phers: BEAST, PFS, RC4. The client simulation has also a wide mode. The
599 difference here is restricted to a column aligned output and a proper
600 headline. The environment variable WIDE can be used instead.
601 --mapping <openssl|iana|no-openssl|no-iana>
603 • openssl: use the OpenSSL cipher suite name as the primary name ci‐
605 pher suite name form (default),
606 • iana: use the IANA cipher suite name as the primary name cipher
608 suite name form.
609 • no-openssl: don´t display the OpenSSL cipher suite name, display
611 IANA names only.
612 • no-iana: don´t display the IANA cipher suite name, display OpenSSL
614 names only.
615 Please note that in testssl 3,0 you can still use rfc instead of iana
619 and no-rfc instead of no-iana but it´ll disappear after 3.0.
620 --show-each This is an option for all wide modes only: it displays all
622 ciphers tested -- not only succeeded ones. SHOW_EACH_C is your friend
623 if you prefer to set this via the shell environment.
624 --color <0|1|2|3> determines the use of colors on the screen and in the
626 log file: 2 is the default and makes use of ANSI and termcap escape
627 codes on your terminal. 1 just uses non-colored mark-up like bold,
628 italics, underline, reverse. 0 means no mark-up at all = no escape
629 codes. This is also what you want when you want a log file without any
630 escape codes. 3 will color ciphers and EC according to an internal (not
631 yet perfect) rating. Setting the environment variable COLOR to the
632 value achieves the same result. Please not that OpenBSD and early Free‐
633 BSD do not support italics.
634 --colorblind Swaps green and blue colors in the output, so that this
636 percentage of folks (up to 8% of males, see
637 https://en.wikipedia.org/wiki/Color_blindness) can distinguish those
638 findings better. COLORBLIND is the according variable if you want to
639 set this in the environment.
640 --debug <0-6> This gives you additional output on the screen (2-6),
642 only useful for debugging. DEBUG is the according environment variable
643 which you can use. There are six levels (0 is the default, thus it has
644 no effect):
645 1. screen output normal but leaves useful debug output in
647 /tmp/testssl.XXXXXX/ . The info about the exact directory is in‐
648 cluded in the screen output in the end of the run.
649 2. lists more what´s going on, status (high level) and connection er‐
651 rors, a few general debug output
652 3. even slightly more info: hexdumps + other info
654 4. display bytes sent via sockets
656 5. display bytes received via sockets
658 6. whole 9 yards
660 FILE OUTPUT OPTIONS
664 --log, --logging Logs stdout also to ${NODE}-p${port}${YYYYM‐
665 MDD-HHMM}.log in current working directory of the shell. Depending on
666 the color output option (see above) the output file will contain color
667 and other markup escape codes, unless you specify --color 0 too. cat
668 and -- if properly configured less -- will show the output properly
669 formatted on your terminal. The output shows a banner with the almost
670 the same information as on the screen. In addition it shows the command
671 line of the testssl instance. Please note that the resulting log file
672 is formatted according to the width of your screen while running
673 testssl. You can override the width with the environment variable
674 TERM_WIDTH.
675 --logfile <logfile> or -oL <logfile> Instead of the previous option you
677 may want to use this one if you want to log into a directory or if you
678 rather want to specify the log file name yourself. If logfile is a di‐
679 rectory the output will put into logfile/${NODE}-p${port}${YYYYM‐
680 MDD-HHMM}.log. If logfile is a file it will use that file name, an ab‐
681 solute path is also permitted here. LOGFILE is the variable you need to
682 set if you prefer to work environment variables instead. Please note
683 that the resulting log file is formatted according to the width of your
684 screen while running testssl. You can override the width with the envi‐
685 ronment variable TERM_WIDTH.
686 --json Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
688 MDD-HHMM}.json in the current working directory of the shell. The re‐
689 sulting JSON file is opposed to --json-pretty flat -- which means each
690 section is self contained and has an identifier for each single check,
691 the hostname/IP address, the port, severity and the finding. For vul‐
692 nerabilities it may contain a CVE and CWE entry too. The output doesn´t
693 contain a banner or a footer.
694 --jsonfile <jsonfile> or -oj <jsonfile> Instead of the previous option
696 you may want to use this one if you want to log the JSON out put into a
697 directory or if you rather want to specify the log file name yourself.
698 If jsonfile is a directory the output will put into log‐
699 file/${NODE}-p${port}${YYYYMMDD-HHMM}.json. Ifjsonfile` is a file it
700 will use that file name, an absolute path is also permitted here.
701 --json-pretty Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
703 MDD-HHMM}.json in the current working directory of the shell. The re‐
704 sulting JSON file is opposed to--json` non-flat -- which means it is
705 structured. The structure contains a header similar to the banner on
706 the screen, including the command line, scan host, openssl binary used,
707 testssl version and epoch of the start time. Then for every test sec‐
708 tion of testssl it contains a separate JSON object/section. Each find‐
709 ing has a key/value pair identifier with the identifier for each single
710 check, the severity and the finding. For vulnerabilities it may contain
711 a CVE and CWE entry too. The footer lists the scan time in seconds.
712 --jsonfile-pretty <jsonfile> or -oJ <jsonfile> Similar to the aforemen‐
714 tioned --jsonfile or --logfile it logs the output in pretty JSON format
715 (see --json-pretty) into a file or a directory. For further explanation
716 see --jsonfile or --logfile.
717 --csv Logs additionally to a CSV file ${NODE}-p${port}${YYYYM‐
719 MDD-HHMM}.csv in the current working directory of the shell. The output
720 contains a header with the keys, the values are the same as in the flat
721 JSON format (identifier for each single check, the hostname/IP address,
722 the port, severity, the finding and for vulnerabilities a CVE and CWE
723 number).
724 --csvfile <csvfile> or -oC <csvfile> Similar to the aforementioned
726 --jsonfile or --logfile it logs the output in CSV format (see --cvs)
727 additionally into a file or a directory. For further explanation see
728 --jsonfile or --logfile.
729 --html Logs additionally to an HTML file ${NODE}-p${port}${YYYYM‐
731 MDD-HHMM}.html in the current working directory of the shell. It con‐
732 tains a 1:1 output of the console. In former versions there was a
733 non-native option to use "aha" (Ansi HTML Adapter:
734 github.com/theZiz/aha) like testssl [options] <URI> | aha >output.html.
735 This is not necessary anymore.
736 --htmlfile <htmlfile> or -oH <htmlfile> Similar to the aforementioned
738 --jsonfile or --logfile it logs the output in HTML format (see --html)
739 additionally into a file or a directory. For further explanation see
740 --jsonfile or --logfile.
741 -oA <filename> / --outFile <filename> Similar to nmap it does a file
743 output to all available file formats: LOG, JSON pretty, CSV, HTML. If
744 the filename supplied is equal auto the filename is automatically gen‐
745 erated using ´${NODE}-p${port}${YYYYMMDD-HHMM}.${EXT}´ with the accord‐
746 ing extension. If a directory is provided all output files will put
747 into <filename>/${NODE}-p${port}${YYYYMMDD-HHMM}.{log,json,csv,html}.
748 -oa <filename> / --outfile <filename> Does the same as the previous op‐
750 tion but uses flat JSON instead.
751 --hints This option is not in use yet. This option is meant to give
753 hints how to fix a finding or at least a help to improve something.
754 GIVE_HINTS is the environment variable for this.
755 --severity <severity> For CSV and both JSON outputs this will only add
757 findings to the output file if a severity is equal or higher than the
758 severity value specified. Allowed are <LOW|MEDIUM|HIGH|CRITICAL>. WARN
759 is another level which translates to a client-side scanning error or
760 problem. Thus you will always see them in a file if they occur.
761 --append Normally, if an output file already exists and it has a file
763 size greater zero, testssl will prompt you to manually remove the file
764 exit with an error. --append however will append to this file, without
765 a header. The environment variable APPEND does the same. Be careful us‐
766 ing this switch/variable. A complementary option which overwrites an
767 existing file doesn´t exist per design.
768 --outprefix <fname_prefix> Prepend output filename prefix fname_prefix
770 before ´${NODE}-´. You can use as well the environment variable
771 FNAME_PREFIX. Using this any output files will be named <fname_pre‐
772 fix>-${NODE}-p${port}${YYYYMMDD-HHMM}.<format> when no file name of the
773 respective output option was specified. If you do not like the separa‐
774 tor ´-´ you can as well supply a <fname_prefix> ending in ´.´, ´_´ or
775 ´,´. In this case or if you already supplied ´-´ no additional ´-´ will
776 be appended to <fname_prefix>.
777 A few file output options can also be preset via environment variables.
779 COLOR RATINGS
781 Testssl.sh makes use of (the eight) standard terminal colors. The color
782 scheme is as follows:
783 • light red: a critical finding
785 • red: a high finding
787 • brown: a medium finding
789 • yellow: a low finding
791 • green (blue if COLORBLIND is set): something which is either in
793 general a good thing or a negative result of a check which other‐
794 wise results in a high finding
795 • light green (light blue if COLORBLIND is set) : something which is
797 either in general a very good thing or a negative result of a check
798 which otherwise results in a critical finding
799 • no color at places where also a finding can be expected: a finding
801 on an info level
802 • cyan: currently only used for --show-each or an additional hint
804 • magenta: signals a warning condition, e.g. either a local lack of
806 capabilities on the client side or another problem
807 • light magenta: a fatal error which either requires strict consent
809 from the user to continue or a condition which leaves no other
810 choice for testssl to quit
811 What is labeled as "light" above appears as such on the screen but is
815 technically speaking "bold". Besides --color=3 will color ciphers ac‐
816 cording to an internal and rough rating.
817 Markup (without any color) is used in the following manner:
819 • bold: for the name of the test
821 • underline + bold: for the headline of each test section
823 • underline: for a sub-headline
825 • italics: for strings just reflecting a value read from the server
827 TUNING via ENV variables and more options
831 Except the environment variables mentioned above which can replace com‐
832 mand line options here a some which cannot be set otherwise. Variables
833 used for tuning are preset with reasonable values. There should be no
834 reason to change them unless you use testssl under special conditions.
835 • TERM_WIDTH is a variable which overrides the auto-determined termi‐
837 nal width size. Setting this variable normally only makes sense if
838 you log the output to a file using the --log, --logfile or -oL op‐
839 tion.
840 • DEBUG_ALLINONE / SETX: when setting one of those to true testssl
842 falls back to the standard bash behavior, i.e. calling bash -x
843 testssl it displays the bash debugging output not in an external
844 file /tmp/testssl-<XX>.log
845 • DEBUGTIME: Profiling option. When using bash´s debug mode and when
847 this is set to true, it generates a separate text file with epoch
848 times in /tmp/testssl-<XX>.time. They need to be concatenated by
849 paste /tmp/testssl-<XX>.{time,log}
850 • EXPERIMENTAL=true is an option which is sometimes used in the de‐
852 velopment process to make testing easier. In released versions this
853 has no effect.
854 • ALL_CLIENTS=true runs a client simulation with all (currently 126)
856 clients when testing HTTP.
857 • UNBRACKTD_IPV6: needs to be set to true for some old versions of
859 OpenSSL (like from Gentoo) which don´t support [bracketed] IPv6 ad‐
860 dresses
861 • NO_ENGINE: if you have problems with garbled output containing the
863 word ´engine´ you might want to set this to true. It forces testssl
864 not try to configure openssl´s engine or a non existing one from
865 libressl
866 • HEADER_MAXSLEEP: To wait how long before killing the process to re‐
868 trieve a service banner / HTTP header
869 • MAX_WAITSOCK: It instructs testssl to wait until the specified time
871 before declaring a socket connection dead. Don´t change this unless
872 you´re absolutely sure what you´re doing. Value is in seconds.
873 • CCS_MAX_WAITSOCK Is the similar to above but applies only to the
875 CCS handshakes, for both of the two the two CCS payload. Don´t
876 change this unless you´re absolutely sure what you´re doing. Value
877 is in seconds.
878 • HEARTBLEED_MAX_WAITSOCK Is the similar to MAX_WAITSOCK but applies
880 only to the ServerHello after sending the Heartbleed payload. Don´t
881 change this unless you´re absolutely sure what you´re doing. Value
882 is in seconds.
883 • MEASURE_TIME_FILE For seldom cases when you don´t want the scan
885 time to be included in the output you can set this to false.
886 • STARTTLS_SLEEP is per default set to 10 (seconds). That´s the value
888 testssl waits for a string in the STARTTLS handshake before giving
889 up.
890 • MAX_PARALLEL is the maximum number of tests to run in parallel in
892 parallel mass testing mode. The default value of 20 may be made
893 larger on systems with faster processors.
894 • MAX_WAIT_TEST is the maximum time (in seconds) to wait for a single
896 test in parallel mass testing mode to complete. The default is
897 1200.
898 • HSTS_MIN is preset to 179 (days). If you want warnings sooner or
900 later for HTTP Strict Transport Security you can change this.
901 • HPKP_MIN is preset to 30 (days). If you want warnings sooner or
903 later for HTTP Public Key Pinning you can change this
904 • DAYS2WARN1 is the first threshold when you´ll be warning of a cer‐
906 tificate expiration of a host, preset to 60 (days). For Let´s En‐
907 crypt this value will be divided internally by 2.
908 • DAYS2WARN2 is the second threshold when you´ll be warning of a cer‐
910 tificate expiration of a host, preset to 30 (days). For Let´s En‐
911 crypt this value will be divided internally by 2.
912 • TESTSSL_INSTALL_DIR is the derived installation directory of
914 testssl. Relatively to that the bin and mandatory etc directory
915 will be looked for.
916 • CA_BUNDLES_PATH: If you have an own set of CA bundles or you want
918 to point testssl to a specific location of a CA bundle, you can use
919 this variable to set the directory which testssl will use. Please
920 note that it overrides completely the builtin path of testssl which
921 means that you will only test against the bundles you point to.
922 Also you might want to use ~/utils/create_ca_hashes.sh to create
923 the hashes for HPKP.
924 • MAX_SOCKET_FAIL: A number which tells testssl how often a TCP
926 socket connection may fail before the program gives up and termi‐
927 nates. The default is 2. You can increase it to a higher value if
928 you frequently see a message like Fatal error: repeated openssl
929 s_client connect problem, doesn´t make sense to continue.
930 • MAX_OSSL_FAIL: A number which tells testssl how often an OpenSSL
932 s_client connect may fail before the program gives up and termi‐
933 nates. The default is 2. You can increase it to a higher value if
934 you frequently see a message like Fatal error: repeated TCP connect
935 problems, giving up.
936 • MAX_HEADER_FAIL: A number which tells testssl how often a HTTP GET
938 request over OpenSSL may return an empty file before the program
939 gives up and terminates. The default is 3. Also here you can in‐
940 crease the threshold when you spot messages like Fatal error: re‐
941 peated HTTP header connect problems, doesn´t make sense to con‐
942 tinue.
943
947 testssl testssl
948 does a default run on https://testssl (protocols, standard cipher
950 lists, PFS, server preferences, server defaults, vulnerabilities, test‐
951 ing all known 370 ciphers, client simulation.
952 testssl testssl.net:443
956 does the same default run as above with the subtle difference that
960 testssl.net has two IPv4 addresses. Both are tested.
961 testssl --ip=one --wide https://testssl.net:443
965 does the same checks as above, with the difference that one IP address
969 is being picked randomly. Displayed is everything where possible in
970 wide format.
971 testssl -6 https://testssl.net
975 As opposed to the first example it also tests the IPv6 part -- supposed
979 you have an IPv6 network and your openssl supports IPv6 (see above).
980 testssl -t smtp smtp.gmail.com:25
984 Checks are done via a STARTTLS handshake on the plain text port 25. It
988 checks every IP on smtp.gmail.com.
989 testssl --starttls=imap imap.gmx.net:143
993 does the same on the plain text IMAP port.
997 Please note that for plain TLS-encrypted ports you must not specify the
999 protocol option when no STARTTLS handshake is offered: testssl
1000 smtp.gmail.com:465 just checks the encryption on the SMTPS port,
1001 testssl imap.gmx.net:993 on the IMAPS port. Also MongoDB which provides
1002 TLS support without STARTTLS can be tested directly.
1003
1005 • RFC 2246: The TLS Protocol Version 1.0
1006 • RFC 2818: HTTP Over TLS
1008 • RFC 2595: Using TLS with IMAP, POP3 and ACAP
1010 • RFC 3207: SMTP Service Extension for Secure SMTP over Transport
1012 Layer Security
1013 • RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
1015 • RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
1017 • RFC 4366: Transport Layer Security (TLS) Extensions
1019 • RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for
1021 Transport Layer Security (TLS)
1022 • RFC 5077: Transport Layer Security (TLS) Session Resumption
1024 • RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
1026 • RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
1028 Certificate Revocation List (CRL) Profile
1029 • RFC 5321: Simple Mail Transfer Protocol
1031 • RFC 5746: Transport Layer Security (TLS) Renegotiation Indication
1033 Extension
1034 • RFC 6066: Transport Layer Security (TLS) Extensions: Extension Def‐
1036 initions
1037 • RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
1039 • RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
1041 • RFC 6125: Domain-Based Application Service Identity [..]
1043 • RFC 6797: HTTP Strict Transport Security (HSTS)
1045 • RFC 6961: The Transport Layer Security (TLS) Multiple Certificate
1047 Status Request Extension
1048 • RFC 7469: Public Key Pinning Extension for HTTP (HPKP)
1050 • RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Pre‐
1052 venting Protocol Downgrade Attacks
1053 • RFC 7627: Transport Layer Security (TLS) Session Hash and Extended
1055 Master Secret Extension
1056 • RFC 7633: X.509v3 Transport Layer Security (TLS) Feature Extension
1058 • RFC 7465: Prohibiting RC4 Cipher Suites
1060 • RFC 7685: A Transport Layer Security (TLS) ClientHello Padding Ex‐
1062 tension
1063 • RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Secu‐
1065 rity (TLS)
1066 • RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parame‐
1068 ters for Transport Layer Security
1069 • RFC 8143: Using Transport Layer Security (TLS) with Network News
1071 Transfer Protocol (NNTP)
1072 • RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
1074 • W3C CSP: Content Security Policy Level 1-3
1076 • TLSWG Draft: The Transport Layer Security (TLS) Protocol Version
1078 1.3
1079
1083 • 0 testssl finished successfully without errors and without ambigu‐
1084 ous results
1085 • 1 testssl has encountered exactly one ambiguous situation or an er‐
1087 ror during run
1088 • 1+n same as previous. The errors or ambiguous results are added,
1090 also per IP.
1091 • 50-200 reserved for returning a vulnerability scoring for system
1093 monitoring or a CI tools
1094 • 242 (ERR_CHILD) Child received a signal from master
1096 • 244 (ERR_RESOURCE) Resources testssl needs couldn´t be read
1098 • 245 (ERR_CLUELESS) Weird state, either though user options or
1100 testssl
1101 • 246 (ERR_CONNECT) Connectivity problem
1103 • 247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names
1105 • 248 (ERR_OTHERCLIENT) Other client problem
1107 • 249 (ERR_DNSBIN) Problem with DNS lookup binaries
1109 • 250 (ERR_OSSLBIN) Problem with OpenSSL binary
1111 • 251 (ERR_NOSUPPORT) Feature requested is not supported
1113 • 252 (ERR_FNAMEPARSE) Input file couldn´t be parsed
1115 • 253 (ERR_FCREATE) Output file couldn´t be created
1117 • 254 (ERR_CMDLINE) Cmd line couldn´t be parsed
1119 • 255 (ERR_BASH) Bash version incorrect
1121
1125 etc/*pem are the certificate stores from Apple, Linux, Mozilla Firefox,
1126 Windows and Java.
1127 etc/client-simulation.txt contains client simulation data.
1129 etc/cipher-mapping.txt provides a mandatory file with mapping from
1131 OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
1132 etc/tls_data.txt provides a mandatory file for ciphers (bash sockets)
1134 and key material.
1135
1137 Developed by Dirk Wetter, David Cooper and many others, see CREDITS.md
1138 .
1139
1141 Copyright © 2012 Dirk Wetter. License GPLv2: Free Software Foundation,
1142 Inc. This is free software: you are free to change and redistribute it
1143 under the terms of the license, see LICENSE.
1144 Attribution is important for the future of this project - also in the
1146 internet. Thus if you´re offering a scanner based on testssl.sh as a
1147 public and/or paid service in the internet you are strongly encouraged
1148 to mention to your audience that you´re using this program and where to
1149 get this program from. That helps us to get bugfixes, other feedback
1150 and more contributions.
1151 Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!
1153
1155 All native Windows platforms emulating Linux are known to be slow.
1156
1158 Probably. Current known ones and interface for filing new ones:
1159 https://testssl.sh/bugs/ .
1160
1162 ciphers(1), openssl(1), s_client(1), x509(1), verify(1), ocsp(1),
1163 crl(1), bash(1) and the websites https://testssl.sh/ and
1164 https://github.com/drwetter/testssl.sh/ .
1165 January 2020 TESTSSL(1)