1TESTSSL(1) General Commands Manual TESTSSL(1)
2
6 testssl
7
9 testssl -- check encryption of SSL/TLS servers
10
12 testssl [OPTIONS] <URI>, testssl [OPTIONS] --file <FILE>
13 or
15 testssl [BANNER OPTIONS]
17
19 testssl is a free command line tool which checks a server's service on
20 any port for the support of TLS/SSL ciphers, protocols as well as cryp‐
21 tographic flaws and much more.
22 The output rates findings by color (screen) or severity (file output)
24 so that you are able to tell whether something is good or bad. The
25 (screen) output has several sections in which classes of checks are be‐
26 ing performed. To ease readability on the screen it aligns and indents
27 the output properly.
28 Only you see the result. You also can use it internally on your LAN.
30 Except DNS lookups or unless you instruct testssl to check for revoca‐
31 tion of certificates it doesn't use any other hosts or even third par‐
32 ties for any test.
33
35 Testssl.sh is out of the box portable: it runs under any Unix-like
36 stack: Linux, *BSD, MacOS X, WSL=Windows Subsystem for Linux, Cygwin
37 and MSYS2. bash is a prerequisite, also version 3 is still supported.
38 Standard utilities like awk, sed, tr and head are also needed. This can
39 be of a BSD, System 5 or GNU flavor whereas grep from System V is not
40 yet supported.
41 Any OpenSSL or LibreSSL version is needed as a helper. Unlike previous
43 versions of testssl almost every check is done via (TCP) sockets. In
44 addition statically linked OpenSSL binaries for major operating systems
45 are supplied in ./bin/.
46
48 testssl URI as the default invocation does the so-called default run
49 which does a number of checks and puts out the results colorized (ANSI
50 and termcap) on the screen. It does every check listed below except -E
51 which are (order of appearance):
52 0) displays a banner (see below), does a DNS lookup also for further IP
54 addresses and does for the returned IP address a reverse lookup. Last
55 but not least a service check is being done.
56 1) SSL/TLS protocol check
58 2) standard cipher categories to give you upfront an idea for the ci‐
60 phers supported
61 3) checks (perfect) forward secrecy: ciphers and elliptical curves
63 4) server preferences (server order)
65 5) server defaults (certificate info, TLS extensions, session informa‐
67 tion)
68 6) HTTP header (if HTTP detected or being forced via --assume-http)
70 7) vulnerabilities
72 8) testing each of 370 preconfigured ciphers
74 9) client simulation
76
78 Options are either short or long options. Any long or short option re‐
79 quiring a value can be called with or without an equal sign. E.g.
80 testssl -t=smtp --wide --openssl=/usr/bin/openssl <URI> (short options
81 with equal sign) is equivalent to testssl --starttls smtp --wide
82 --openssl /usr/bin/openssl <URI> (long option without equal sign). Some
83 command line options can also be preset via ENV variables. WIDE=true
84 OPENSSL=/usr/bin/openssl testssl --starttls=smtp <URI> would be the
85 equivalent to the aforementioned examples. Preference has the command
86 line over any environment variables.
87 <URI> or --file <FILE> always needs to be the last parameter.
89 BANNER OPTIONS
91 --help (or no arg) display command line help
92 -b, --banner displays testssl banner, including license, usage condi‐
94 tions, version of testssl, detected openssl version, its path to it, #
95 of ciphers of openssl, its build date and the architecture.
96 -v, --version same as before
98 -V [pattern] , --local [pattern] pretty print all local ciphers sup‐
100 ported by openssl version. If a pattern is supplied it performs a match
101 (ignore case) on any of the strings supplied in the wide output, see
102 below. The pattern will be searched in the any of the columns: hexcode,
103 cipher suite name (OpenSSL or IANA), key exchange, encryption, bits. It
104 does a word pattern match for non-numbers, for number just a normal
105 match applies. Numbers here are defined as [0-9,A-F]. This means (at‐
106 tention: catch) that the pattern CBC is matched as non-word, but AES as
107 word.
108 INPUT PARAMETERS
110 URI can be a hostname, an IPv4 or IPv6 address (restriction see below)
111 or an URL. IPv6 addresses need to be in square brackets. For any given
112 parameter port 443 is assumed unless specified by appending a colon and
113 a port number. The only preceding protocol specifier allowed is https.
114 You need to be aware that checks for an IP address might not hit the
115 vhost you want. DNS resolution (A/AAAA record) is being performed un‐
116 less you have an /etc/hosts entry for the hostname.
117 --file <fname> or the equivalent -iL <fname> are mass testing options.
119 Per default it implicitly turns on --warnings batch. In its first in‐
120 carnation the mass testing option reads command lines from fname. fname
121 consists of command lines of testssl, one line per instance. Comments
122 after # are ignored, EOF signals the end of fname any subsequent lines
123 will be ignored too. You can also supply additional options which will
124 be inherited to each child, e.g. When invoking testssl --wide --log
125 --file <fname> . Each single line in fname is parsed upon execution. If
126 there's a conflicting option and serial mass testing option is being
127 performed the check will be aborted at the time it occurs and depending
128 on the output option potentially leaving you with an output file with‐
129 out footer. In parallel mode the mileage varies, likely a line won't be
130 scanned.
131 Alternatively fname can be in nmap's grep(p)able output format (-oG).
133 Only open ports will be considered. Multiple ports per line are al‐
134 lowed. The ports can be different and will be tested by testssl accord‐
135 ing to common practice in the internet, i.e. if nmap shows in its out‐
136 put an open port 25, automatically -t smtp will be added before the URI
137 whereas port 465 will be treated as a plain TLS/SSL port, not requiring
138 an STARTTLS SMTP handshake upfront. This is done by an internal table
139 which correlates nmap's open port detected to the STARTTLS/plain text
140 decision from testssl.
141 Nmap's output always returns IP addresses and only if there's a PTR DNS
143 record available a hostname. As it is not checked by nmap whether the
144 hostname matches the IP (A or AAAA record), testssl does this automati‐
145 cally for you. If the A record of the hostname matches the IP address,
146 the hostname is used and not the IP address. Please keep in mind that
147 checks against an IP address might not hit the vhost you maybe were
148 aiming at and thus it may lead to different results.
149 A typical internal conversion to testssl file format from nmap's
151 grep(p)able format could look like:
152 10.10.12.16:443 10.10.12.16:1443 -t smtp host.example.com:25 host.exam‐
154 ple.com:443 host.example.com:631 -t ftp 10.10.12.11:21 10.10.12.11:8443
155 Please note that fname has to be in Unix format. DOS carriage returns
156 won't be accepted. Instead of the command line switch the environment
157 variable FNAME will be honored too.
158 --mode <serial|parallel>. Mass testing to be done serial (default) or
160 parallel (--parallel is shortcut for the latter, --serial is the oppo‐
161 site option). Per default mass testing is being run in serial mode,
162 i.e. one line after the other is processed and invoked. The variable
163 MASS_TESTING_MODE can be defined to be either equal serial or parallel.
164 --warnings <batch|off>. The warnings parameter determines how testssl
166 will deal with situations where user input normally will be necessary.
167 There are two options. batch doesn't wait for a confirming keypress
168 when a client- or server-side problem is encountered. As of 3.0 it just
169 then terminates the particular scan. This is automatically chosen for
170 mass testing (--file). off just skips the warning, the confirmation but
171 continues the scan, independent whether it makes sense or not. Please
172 note that there are conflicts where testssl will still ask for confir‐
173 mation which are the ones which otherwise would have a drastic impact
174 on the results. Almost any other decision will be made in the future as
175 a best guess by testssl. The same can be achieved by setting the envi‐
176 ronment variable WARNINGS.
177 --connect-timeout <seconds> This is useful for socket TCP connections
179 to a node. If the node does not complete a TCP handshake (e.g. because
180 it is down or behind a firewall or there's an IDS or a tarpit) testssl
181 may usually hang for around 2 minutes or even much more. This parameter
182 instructs testssl to wait at most seconds for the handshake to complete
183 before giving up. This option only works if your OS has a timeout bi‐
184 nary installed. CONNECT_TIMEOUT is the corresponding environment vari‐
185 able.
186 --openssl-timeout <seconds> This is especially useful for all connects
188 using openssl and practically useful for mass testing. It avoids the
189 openssl connect to hang for ~2 minutes. The expected parameter seconds
190 instructs testssl to wait before the openssl connect will be termi‐
191 nated. The option is only available if your OS has a timeout binary in‐
192 stalled. As there are different implementations of timeout: It automat‐
193 ically calls the binary with the right parameters. OPENSSL_TIMEOUT is
194 the equivalent environment variable.
195 --basicauth <user:pass> This can be set to provide HTTP basic auth cre‐
197 dentials which are used during checks for security headers. BASICAUTH
198 is the ENV variable you can use instead.
199 SPECIAL INVOCATIONS
201 -t <protocol>, --starttls <protocol> does a default run against a
202 STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3,
203 imap, xmpp, telnet, ldap, irc, lmtp, nntp, postgres, mysql. For the
204 latter four you need e.g. the supplied OpenSSL or OpenSSL version
205 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP
206 currently only works with --ssl-native. telnet and irc is WIP.
207 --xmpphost <jabber_domain> is an additional option for STARTTLS enabled
209 XMPP: It expects the jabber domain as a parameter. This is only needed
210 if the domain is different from the URI supplied.
211 --mx <domain|host> tests all MX records (STARTTLS on port 25) from high
213 to low priority, one after the other.
214 --ip <ip> tests either the supplied IPv4 or IPv6 address instead of re‐
216 solving host(s) in <URI>. IPv6 addresses need to be supplied in square
217 brackets. --ip=one means: just test the first A record DNS returns
218 (useful for multiple IPs). If -6 and --ip=one was supplied an AAAA
219 record will be picked if available. The --ip option might be also use‐
220 ful if you want to resolve the supplied hostname to a different IP,
221 similar as if you would edit /etc/hosts or /c/Windows/System32/driv‐
222 ers/etc/hosts. --ip=proxy tries a DNS resolution via proxy.
223 --proxy <host>:<port> does ANY check via the specified proxy.
225 --proxy=auto inherits the proxy setting from the environment. The host‐
226 name supplied will be resolved to the first A record. In addition if
227 you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP re‐
228 vocation checking (-S --phone-out) is not supported by OpenSSL via
229 proxy. As supplying a proxy is an indicator for port 80 and 443 outgo‐
230 ing being blocked in your network an OCSP revocation check won't be
231 performed. However if IGN_OCSP_PROXY=true has been supplied it will be
232 tried directly. Authentication to the proxy is not supported. Proxying
233 via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is sup‐
234 ported.
235 -6 does (also) IPv6 checks. Please note that testssl doesn't perform
237 checks on an IPv6 address automatically, because of two reasons:
238 testssl does no connectivity checks for IPv6 and it cannot determine
239 reliably whether the OpenSSL binary you're using has IPv6 s_client sup‐
240 port. -6 assumes both is the case. If both conditions are met and you
241 in general prefer to test for IPv6 branches as well you can add
242 HAS_IPv6 to your shell environment. Besides the OpenSSL binary supplied
243 IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions
244 >=1.0.2 in RHEL/CentOS/FC and Gentoo.
245 --ssl-native Instead of using a mixture of bash sockets and a few
247 openssl s_client connects, testssl uses the latter (almost) only. This
248 is faster at the moment but provides less accurate results, especially
249 for the client simulation and for cipher support. For all checks you
250 will see a warning if testssl cannot tell if a particular check cannot
251 be performed. For some checks however you might end up getting false
252 negatives without a warning. This option is only recommended if you
253 prefer speed over accuracy or you know that your target has sufficient
254 overlap with the protocols and cipher provided by your openssl binary.
255 --openssl <path_to_openssl> testssl tries very hard to find automagi‐
257 cally the binary supplied (where the tree of testssl resides, from the
258 directory where testssl has been started from, etc.). If all that
259 doesn't work it falls back to openssl supplied from the OS ($PATH).
260 With this option you can point testssl to your binary of choice and
261 override any internal magic to find the openssl binary. (Environment
262 preset via OPENSSL=<path_to_openssl>).
263 TUNING OPTIONS
265 --bugs does some workarounds for buggy servers like padding for old F5
266 devices. The option is passed as -bug to openssl when needed, see
267 s_client(1), environment preset via BUGS="-bugs" (1x dash). For the
268 socket part testssl has always workarounds in place to cope with broken
269 server implementations.
270 --assuming-http testssl normally does upfront an application protocol
272 detection. In cases where HTTP cannot be automatically detected you may
273 want to use this option. It enforces testssl not to skip HTTP specific
274 tests (HTTP header) and to run a browser based client simulation.
275 Please note that sometimes also the severity depends on the application
276 protocol, e.g. SHA1 signed certificates, the lack of any SAN matches
277 and some vulnerabilities will be punished harder when checking a web
278 server as opposed to a mail server.
279 -n, --nodns <min|none> tells testssl which DNS lookups should be per‐
281 formed. min uses only forward DNS resolution (A and AAAA record or MX
282 record) and skips CAA lookups and PTR records from the IP address back
283 to a DNS name. none performs no DNS lookups at all. For the latter you
284 either have to supply the IP address as a target, to use --ip or have
285 the IP address in /etc/hosts. The use of the switch is only useful if
286 you either can't or are not willing to perform DNS lookups. The latter
287 can apply e.g. to some pentests. In general this option could e.g. help
288 you to avoid timeouts by DNS lookups. NODNS is the environment variable
289 for this.
290 --sneaky For HTTP header checks testssl uses normally the server
292 friendly HTTP user agent TLS tester from ${URL}. With this option your
293 traces are less verbose and a Firefox user agent is being used. Be
294 aware that it doesn't hide your activities. That is just not possible
295 (environment preset via SNEAKY=true).
296 --ids-friendly is a switch which may help to get a scan finished which
298 otherwise would be blocked by a server side IDS. This switch skips
299 tests for the following vulnerabilities: Heartbleed, CCS Injection,
300 Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false
301 will achieve the same result. Please be advised that as an alternative
302 or as a general approach you can try to apply evasion techniques by
303 changing the variables USLEEP_SND and / or USLEEP_REC and maybe
304 MAX_WAITSOCK.
305 --phone-out Checking for revoked certificates via CRL and OCSP is not
307 done per default. This switch instructs testssl to query external -- in
308 a sense of the current run -- URIs. By using this switch you acknowl‐
309 edge that the check might have privacy issues, a download of several
310 megabytes (CRL file) may happen and there may be network connectivity
311 problems while contacting the endpoint which testssl doesn't handle.
312 PHONE_OUT is the environment variable for this which needs to be set to
313 true if you want this.
314 --add-ca <cafile> enables you to add your own CA(s) for trust chain
316 checks. cafile can be a single path or multiple paths as a comma sepa‐
317 rated list of root CA files. Internally they will be added during run‐
318 time to all CA stores. This is (only) useful for internal hosts whose
319 certificates is issued by internal CAs. Alternatively ADDI‐
320 TIONAL_CA_FILES is the environment variable for this.
321 SINGLE CHECK OPTIONS
323 Any single check switch supplied as an argument prevents testssl from
324 doing a default run. It just takes this and if supplied other options
325 and runs them - in the order they would also appear in the default run.
326 -e, --each-cipher checks each of the (currently configured) 370 ciphers
328 via openssl + sockets remotely on the server and reports back the re‐
329 sult in wide mode. If you want to display each cipher tested you need
330 to add --show-each. Per default it lists the following parameters: hex‐
331 code, OpenSSL cipher suite name, key exchange, encryption bits,
332 IANA/RFC cipher suite name. Please note the --mapping parameter changes
333 what cipher suite names you will see here and at which position. Also
334 please note that the bit length for the encryption is shown and not the
335 security length, albeit it'll be sorted by the latter. For 3DES due to
336 the Meet-in-the-Middle problem the bit size of 168 bits is equivalent
337 to the security size of 112 bits.
338 -E, --cipher-per-proto is similar to -e, --each-cipher. It checks each
340 of the possible ciphers, here: per protocol. If you want to display
341 each cipher tested you need to add --show-each. The output is sorted by
342 security strength, it lists the encryption bits though.
343 -s, --std, --standard tests certain lists of cipher suites / cipher
345 categories by strength. Those lists are (openssl ciphers $LIST, $LIST
346 from below:)
347 ○ NULL encryption ciphers: 'NULL:eNULL'
349 ○ Anonymous NULL ciphers: 'aNULL:ADH'
351 ○ Export ciphers (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
353 ○ LOW (64 Bit + DES ciphers, without EXPORT ciphers):
355 'LOW:DES:RC2:RC4:!ADH:!EXP:!NULL:!eNULL'
356 ○ 3DES + IDEA Ciphers: '3DES:IDEA:!aNULL:!ADH'
358 ○ Average grade Ciphers: 'HIGH:MEDIUM:AES:CAMEL‐
360 LIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AES‐
361 GCM:!ARIAGCM:!aNULL'
362 ○ Strong grade Ciphers (AEAD): 'AESGCM:CHACHA20:Camel‐
364 liaGCM:AESCCM8:AESCCM'
365 -f, --pfs, --fs,--nsa Checks robust (perfect) forward secrecy key ex‐
369 change. "Robust" means that ciphers having intrinsic severe weaknesses
370 like Null Authentication or Encryption, 3DES and RC4 won't be consid‐
371 ered here. There shouldn't be the wrong impression that a secure key
372 exchange has been taking place and everything is fine when in reality
373 the encryption sucks. Also this section lists the available elliptical
374 curves and Diffie Hellman groups, as well as FFDHE groups (TLS 1.2 and
375 TLS 1.3).
376 -p, --protocols checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 through
378 TLS 1.3 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2. For TLS 1.3
379 several drafts (from 18 on) and final are supported and being tested
380 for.
381 -P, --preference displays the servers preferences: cipher order, with
383 used openssl client: negotiated protocol and cipher. If there's a ci‐
384 pher order enforced by the server it displays it for each protocol
385 (openssl+sockets). If there's not, it displays instead which ciphers
386 from the server were picked with each protocol.
387 -S, --server_defaults displays information from the server hello(s):
389 ○ Available TLS extensions,
391 ○ TLS ticket + session ID information/capabilities,
393 ○ session resumption capabilities,
395 ○ Time skew relative to localhost (most server implementations return
397 random values).
398 ○ Several certificate information
400 ○ signature algorithm,
402 ○ key size,
404 ○ key usage and extended key usage,
406 ○ fingerprints and serial
408 ○ Common Name (CN), Subject Alternative Name (SAN), Issuer,
410 ○ Trust via hostname + chain of trust against supplied certificates
412 ○ EV certificate detection
414 ○ experimental "eTLS" detection
416 ○ validity: start + end time, how many days to go (warning for cer‐
418 tificate lifetime >=5 years)
419 ○ revocation info (CRL, OCSP, OCSP stapling + must staple). When
421 --phone-out supplied it checks against the certificate issuer
422 whether the host certificate has been revoked (plain OCSP, CRL).
423 ○ displaying DNS Certification Authority Authorization resource
425 record
426 ○ Certificate Transparency info (if provided by server).
428 For the trust chain check 5 certificate stores are provided. If the
435 test against one of the trust stores failed, the one is being identi‐
436 fied and the reason for the failure is displayed - in addition the ones
437 which succeeded are displayed too. You can configure your own CA via
438 ADDITIONAL_CA_FILES, see section FILES below. If the server provides no
439 matching record in Subject Alternative Name (SAN) but in Common Name
440 (CN), it will be indicated as this is deprecated. Also for multiple
441 server certificates are being checked for as well as for the certifi‐
442 cate reply to a non-SNI (Server Name Indication) client hello to the IP
443 address. Regarding the TLS clock skew: it displays the time difference
444 to the client. Only a few TLS stacks nowadays still support this and
445 return the local clock gmt_unix_time, e.g. IIS, openssl < 1.0.1f. In
446 addition to the HTTP date you could e.g. derive that there are differ‐
447 ent hosts where your TLS and your HTTP request ended -- if the time
448 deltas differ significantly.
449 -x <pattern>, --single-cipher <pattern> tests matched pattern of ci‐
451 phers against a server. Patterns are similar to -V pattern , --local
452 pattern, see above about matching.
453 -h, --header, --headers if the service is HTTP (either by detection or
455 by enforcing via --assume-http. It tests several HTTP headers like
456 ○ HTTP Strict Transport Security (HSTS)
458 ○ HTTP Public Key Pinning (HPKP)
460 ○ Server banner
462 ○ HTTP date+time
464 ○ Server banner like Linux or other Unix vendor headers
466 ○ Application banner (PHP, RoR, OWA, SharePoint, Wordpress, etc)
468 ○ Reverse proxy headers
470 ○ Web server modules
472 ○ IPv4 address in header
474 ○ Cookie (including Secure/HTTPOnly flags)
476 ○ Decodes BIG IP F5 non-encrypted cookies
478 ○ Security headers (X-Frame-Options, X-XSS-Protection, Expect-CT,...
480 , CSP headers). Nonsense is not yet detected here.
481 -c, --client-simulation This simulates a handshake with a number of
485 standard clients so that you can figure out which client cannot or can
486 connect to your site. For the latter case the protocol, cipher and
487 curve is displayed, also if there's Forward Secrecy. testssl uses a
488 handselected set of clients which are retrieved by the SSLlabs API. The
489 output is aligned in columns when combined with the --wide option. If
490 you want the full nine yards of clients displayed use the environment
491 variable ALL_CLIENTS.
492 -g, --grease checks several server implementation bugs like tolerance
494 to size limitations and GREASE, see https://www.ietf.org/ar‐
495 chive/id/draft-ietf-tls-grease-01.txt . This checks doesn't run per de‐
496 fault.
497 VULNERABILITIES
499 -U, --vulnerable, --vulnerabilities Just tests all (of the following)
500 vulnerabilities. The environment variable VULN_THRESHLD determines af‐
501 ter which value a separate headline for each vulnerability is being
502 displayed. Default is 1 which means if you check for two vulnerabili‐
503 ties, only the general headline for vulnerabilities section is dis‐
504 played -- in addition to the vulnerability and the result. Otherwise
505 each vulnerability or vulnerability section gets its own headline in
506 addition to the output of the name of the vulnerability and test re‐
507 sult. A vulnerability section is comprised of more than one check, e.g.
508 the renegotiation vulnerability check has two checks, so has Logjam.
509 -H, --heartbleed Checks for Heartbleed, a memory leakage in openssl.
511 Unless the server side doesn't support the heartbeat extension it is
512 likely that this check runs into a timeout. The seconds to wait for a
513 reply can be adjusted with HEARTBLEED_MAX_WAITSOCK. 8 is the default.
514 -I, --ccs, --ccs-injection Checks for CCS Injection which is an openssl
516 vulnerability. Sometimes also here the check needs to wait for a reply.
517 The predefined timeout of 5 seconds can be changed with the environment
518 variable CCS_MAX_WAITSOCK.
519 -T, --ticketbleed Checks for Ticketbleed memory leakage in BigIP load‐
521 balancers.
522 -BB, --robot Checks for vulnerability to ROBOT / (Return Of Bleichen‐
524 bacher's Oracle Threat) attack.
525 -R, --renegotiation Tests renegotiation vulnerabilities. Currently
527 there's a check for Secure Renegotiation and for Secure Client-Initi‐
528 ated Renegotiation. Please be aware that vulnerable servers to the lat‐
529 ter can likely be DoSed very easily (HTTP). A check for Insecure
530 Client-Initiated Renegotiation is not yet implemented.
531 -C, --compression, --crime Checks for CRIME (Compression Ratio
533 Info-leak Made Easy) vulnerability in TLS. CRIME in SPDY is not yet be‐
534 ing checked for.
535 -B, --breach Checks for BREACH (Browser Reconnaissance and Exfiltration
537 via Adaptive Compression of Hypertext) vulnerability. As for this vul‐
538 nerability HTTP level compression is a prerequisite it'll be not tested
539 if HTTP cannot be detected or the detection is not enforced via --as‐
540 sume-http. Please note that only the URL supplied (normally "/" ) is
541 being tested.
542 -O, --poodle Tests for SSL POODLE (Padding Oracle On Downgraded Legacy
544 Encryption) vulnerability. It basically checks for the existence of CBC
545 ciphers in SSLv3.
546 -Z, --tls-fallback Checks TLS_FALLBACK_SCSV mitigation. TLS_FALL‐
548 BACK_SCSV is basically a ciphersuite appended to the Client Hello try‐
549 ing to prevent protocol downgrade attacks by a Man in the Middle.
550 -W, --sweet32 Checks for vulnerability to SWEET32 by testing 64 bit
552 block ciphers (3DES, RC2 and IDEA).
553 -F, --freak Checks for FREAK vulnerability (Factoring RSA Export Keys)
555 by testing for EXPORT RSA ciphers
556 -D, --drown Checks for DROWN vulnerability (Decrypting RSA with Obso‐
558 lete and Weakened eNcryption) by checking whether the SSL 2 protocol is
559 available at the target. Please note that if you use the same RSA cer‐
560 tificate elsewhere you might be vulnerable too. testssl doesn't check
561 for this but provides a helpful link @ censys.io which provides this
562 service.
563 -J, --logjam Checks for LOGJAM vulnerability by checking for DH EXPORT
565 ciphers. It also checks for "common primes" which are preconfigured DH
566 keys. DH keys =< 1024 Bit will be penalized. Also FFDHE groups (TLS
567 1.2) will be displayed here.
568 -A, --beast Checks BEAST vulnerabilities in SSL 3 and TLS 1.0 by test‐
570 ing the usage of CBC ciphers.
571 -L, --lucky13 Checks for LUCKY13 vulnerability. It checks for the pres‐
573 ence of CBC ciphers in TLS versions 1.0 - 1.2.
574 -4, --rc4, --appelbaum Checks which RC4 stream ciphers are being of‐
576 fered.
577 OUTPUT OPTIONS
579 -q, --quiet Normally testssl displays a banner on stdout with several
580 version information, usage rights and a warning. This option suppresses
581 it. Please note that by choosing this option you acknowledge usage
582 terms and the warning normally appearing in the banner.
583 --wide Except the "each cipher output" all tests displays the single
585 cipher name (scheme see below). This option enables testssl to display
586 also for the following sections the same output as for testing each ci‐
587 phers: BEAST, PFS, RC4. The client simulation has also a wide mode. The
588 difference here is restricted to a column aligned output and a proper
589 headline. The environment variable WIDE can be used instead.
590 --mapping <openssl|iana|no-openssl|no-iana>
592 ○ openssl: use the OpenSSL cipher suite name as the primary name ci‐
594 pher suite name form (default),
595 ○ iana: use the IANA cipher suite name as the primary name cipher
597 suite name form.
598 ○ no-openssl: don't display the OpenSSL cipher suite name, display
600 IANA names only.
601 ○ no-iana: don't display the IANA cipher suite name, display OpenSSL
603 names only.
604 Please note that in testssl 3,0 you can still use rfc instead of iana
608 and no-rfc instead of no-iana but it'll disappear after 3.0.
609 --show-each This is an option for all wide modes only: it displays all
611 ciphers tested -- not only succeeded ones. SHOW_EACH_C is your friend
612 if you prefer to set this via the shell environment.
613 --color <0|1|2|3> determines the use of colors on the screen and in the
615 log file: 2 is the default and makes use of ANSI and termcap escape
616 codes on your terminal. 1 just uses non-colored mark-up like bold,
617 italics, underline, reverse. 0 means no mark-up at all = no escape
618 codes. This is also what you want when you want a log file without any
619 escape codes. 3 will color ciphers and EC according to an internal (not
620 yet perfect) rating. Setting the environment variable COLOR to the
621 value achieves the same result. Please not that OpenBSD and early Free‐
622 BSD do not support italics.
623 --colorblind Swaps green and blue colors in the output, so that this
625 percentage of folks (up to 8% of males, see
626 https://en.wikipedia.org/wiki/Color_blindness) can distinguish those
627 findings better. COLORBLIND is the according variable if you want to
628 set this in the environment.
629 --debug <0-6> This gives you additional output on the screen (2-6),
631 only useful for debugging. DEBUG is the according environment variable
632 which you can use. There are six levels (0 is the default, thus it has
633 no effect):
634 1. screen output normal but leaves useful debug output in
636 /tmp/testssl.XXXXXX/ . The info about the exact directory is in‐
637 cluded in the screen output in the end of the run.
638 2. lists more what's going on, status (high level) and connection er‐
640 rors, a few general debug output
641 3. even slightly more info: hexdumps + other info
643 4. display bytes sent via sockets
645 5. display bytes received via sockets
647 6. whole 9 yards
649 FILE OUTPUT OPTIONS
653 --log, --logging Logs stdout also to ${NODE}-p${port}${YYYYM‐
654 MDD-HHMM}.log in current working directory of the shell. Depending on
655 the color output option (see above) the output file will contain color
656 and other markup escape codes, unless you specify --color 0 too. cat
657 and -- if properly configured less -- will show the output properly
658 formatted on your terminal. The output shows a banner with the almost
659 the same information as on the screen. In addition it shows the command
660 line of the testssl instance. Please note that the resulting log file
661 is formatted according to the width of your screen while running
662 testssl. You can override the width with the environment variable
663 TERM_WIDTH.
664 --logfile <logfile> or -oL <logfile> Instead of the previous option you
666 may want to use this one if you want to log into a directory or if you
667 rather want to specify the log file name yourself. If logfile is a di‐
668 rectory the output will put into logfile/${NODE}-p${port}${YYYYM‐
669 MDD-HHMM}.log. If logfile is a file it will use that file name, an ab‐
670 solute path is also permitted here. LOGFILE is the variable you need to
671 set if you prefer to work environment variables instead. Please note
672 that the resulting log file is formatted according to the width of your
673 screen while running testssl. You can override the width with the envi‐
674 ronment variable TERM_WIDTH.
675 --json Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
677 MDD-HHMM}.json in the current working directory of the shell. The re‐
678 sulting JSON file is opposed to --json-pretty flat -- which means each
679 section is self contained and has an identifier for each single check,
680 the hostname/IP address, the port, severity and the finding. For vul‐
681 nerabilities it may contain a CVE and CWE entry too. The output doesn't
682 contain a banner or a footer.
683 --jsonfile <jsonfile> or -oj <jsonfile> Instead of the previous option
685 you may want to use this one if you want to log the JSON out put into a
686 directory or if you rather want to specify the log file name yourself.
687 If jsonfile is a directory the output will put into log‐
688 file/${NODE}-p${port}${YYYYMMDD-HHMM}.json. If jsonfile is a file it
689 will use that file name, an absolute path is also permitted here.
690 --json-pretty Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
692 MDD-HHMM}.json in the current working directory of the shell. The re‐
693 sulting JSON file is opposed to --json non-flat -- which means it is
694 structured. The structure contains a header similar to the banner on
695 the screen, including the command line, scan host, openssl binary used,
696 testssl version and epoch of the start time. Then for every test sec‐
697 tion of testssl it contains a separate JSON object/section. Each find‐
698 ing has a key/value pair identifier with the identifier for each single
699 check, the severity and the finding. For vulnerabilities it may contain
700 a CVE and CWE entry too. The footer lists the scan time in seconds.
701 --jsonfile-pretty <jsonfile> or -oJ <jsonfile> Similar to the aforemen‐
703 tioned --jsonfile or --logfile it logs the output in pretty JSON format
704 (see --json-pretty) into a file or a directory. For further explanation
705 see --jsonfile or --logfile.
706 --csv Logs additionally to a CSV file ${NODE}-p${port}${YYYYM‐
708 MDD-HHMM}.csv in the current working directory of the shell. The output
709 contains a header with the keys, the values are the same as in the flat
710 JSON format (identifier for each single check, the hostname/IP address,
711 the port, severity, the finding and for vulnerabilities a CVE and CWE
712 number).
713 --csvfile <csvfile> or -oC <csvfile> Similar to the aforementioned
715 --jsonfile or --logfile it logs the output in CSV format (see --cvs)
716 additionally into a file or a directory. For further explanation see
717 --jsonfile or --logfile.
718 --html Logs additionally to an HTML file ${NODE}-p${port}${YYYYM‐
720 MDD-HHMM}.html in the current working directory of the shell. It con‐
721 tains a 1:1 output of the console. In former versions there was a
722 non-native option to use "aha" (Ansi HTML Adapter:
723 github.com/theZiz/aha) like testssl [options] <URI> | aha >output.html.
724 This is not necessary anymore.
725 --htmlfile <htmlfile> or -oH <htmlfile> Similar to the aforementioned
727 --jsonfile or --logfile it logs the output in HTML format (see --html)
728 additionally into a file or a directory. For further explanation see
729 --jsonfile or --logfile.
730 -oA <filename> / --outFile <filename> Similar to nmap it does a file
732 output to all available file formats: LOG, JSON pretty, CSV, HTML. If
733 the filename supplied is equal auto the filename is automatically gen‐
734 erated using '${NODE}-p${port}${YYYYMMDD-HHMM}.${EXT}' with the accord‐
735 ing extension. If a directory is provided all output files will put
736 into <filename>/${NODE}-p${port}${YYYYMMDD-HHMM}.{log,json,csv,html}.
737 -oa <filename> / --outfile <filename> Does the same as the previous op‐
739 tion but uses flat JSON instead.
740 --hints This option is not in use yet. This option is meant to give
742 hints how to fix a finding or at least a help to improve something.
743 GIVE_HINTS is the environment variable for this.
744 --severity <severity> For CSV and both JSON outputs this will only add
746 findings to the output file if a severity is equal or higher than the
747 severity value specified. Allowed are <LOW|MEDIUM|HIGH|CRITICAL>. WARN
748 is another level which translates to a client-side scanning error or
749 problem. Thus you will always see them in a file if they occur.
750 --append Normally, if an output file already exists and it has a file
752 size greater zero, testssl will prompt you to manually remove the file
753 exit with an error. --append however will append to this file, without
754 a header. The environment variable APPEND does the same. Be careful us‐
755 ing this switch/variable. A complementary option which overwrites an
756 existing file doesn't exist per design.
757 --outprefix <fname_prefix> Prepend output filename prefix fname_prefix
759 before ${NODE}-. You can use as well the environment variable
760 FNAME_PREFIX. Using this any output files will be named <fname_pre‐
761 fix>-${NODE}-p${port}${YYYYMMDD-HHMM}.<format> when no file name of the
762 respective output option was specified. If you do not like the separa‐
763 tor '-' you can as well supply a <fname_prefix> ending in '.', '_' or
764 ','. In this case or if you already supplied '-' no additional '-' will
765 be appended to <fname_prefix>.
766 A few file output options can also be preset via environment variables.
768 COLOR RATINGS
770 Testssl.sh makes use of (the eight) standard terminal colors. The color
771 scheme is as follows:
772 ○ light red: a critical finding
774 ○ red: a high finding
776 ○ brown: a medium finding
778 ○ yellow: a low finding
780 ○ green (blue if COLORBLIND is set): something which is either in
782 general a good thing or a negative result of a check which other‐
783 wise results in a high finding
784 ○ light green (light blue if COLORBLIND is set) : something which is
786 either in general a very good thing or a negative result of a check
787 which otherwise results in a critical finding
788 ○ no color at places where also a finding can be expected: a finding
790 on an info level
791 ○ cyan: currently only used for --show-each or an additional hint
793 ○ magenta: signals a warning condition, e.g. either a local lack of
795 capabilities on the client side or another problem
796 ○ light magenta: a fatal error which either requires strict consent
798 from the user to continue or a condition which leaves no other
799 choice for testssl to quit
800 What is labeled as "light" above appears as such on the screen but is
804 technically speaking "bold". Besides --color=3 will color ciphers ac‐
805 cording to an internal and rough rating.
806 Markup (without any color) is used in the following manner:
808 ○ bold: for the name of the test
810 ○ underline + bold: for the headline of each test section
812 ○ underline: for a sub-headline
814 ○ italics: for strings just reflecting a value read from the server
816 TUNING via ENV variables and more options
820 Except the environment variables mentioned above which can replace com‐
821 mand line options here a some which cannot be set otherwise. Variables
822 used for tuning are preset with reasonable values. There should be no
823 reason to change them unless you use testssl under special conditions.
824 ○ TERM_WIDTH is a variable which overrides the auto-determined termi‐
826 nal width size. Setting this variable normally only makes sense if
827 you log the output to a file using the --log, --logfile or -oL op‐
828 tion.
829 ○ DEBUG_ALLINONE / SETX: when setting one of those to true testssl
831 falls back to the standard bash behavior, i.e. calling bash -x
832 testssl it displays the bash debugging output not in an external
833 file /tmp/testssl-<XX>.log
834 ○ DEBUGTIME: Profiling option. When using bash's debug mode and when
836 this is set to true, it generates a separate text file with epoch
837 times in /tmp/testssl-<XX>.time. They need to be concatenated by
838 paste /tmp/testssl-<XX>.{time,log} <!--
839 ○ FAST_SOCKET
841 ○ SHOW_SIGALGO
843 ○ FAST -->
845 ○ EXPERIMENTAL=true is an option which is sometimes used in the de‐
847 velopment process to make testing easier. In released versions this
848 has no effect.
849 ○ ALL_CLIENTS=true runs a client simulation with all (currently 126)
851 clients when testing HTTP.
852 ○ UNBRACKTD_IPV6: needs to be set to true for some old versions of
854 OpenSSL (like from Gentoo) which don't support [bracketed] IPv6 ad‐
855 dresses
856 ○ NO_ENGINE: if you have problems with garbled output containing the
858 word 'engine' you might want to set this to true. It forces testssl
859 not try to configure openssl's engine or a non existing one from
860 libressl
861 ○ HEADER_MAXSLEEP: To wait how long before killing the process to re‐
863 trieve a service banner / HTTP header
864 ○ MAX_WAITSOCK: It instructs testssl to wait until the specified time
866 before declaring a socket connection dead. Don't change this unless
867 you're absolutely sure what you're doing. Value is in seconds.
868 ○ CCS_MAX_WAITSOCK Is the similar to above but applies only to the
870 CCS handshakes, for both of the two the two CCS payload. Don't
871 change this unless you're absolutely sure what you're doing. Value
872 is in seconds.
873 ○ HEARTBLEED_MAX_WAITSOCK Is the similar to MAX_WAITSOCK but applies
875 only to the ServerHello after sending the Heartbleed payload. Don't
876 change this unless you're absolutely sure what you're doing. Value
877 is in seconds.
878 ○ MEASURE_TIME_FILE For seldom cases when you don't want the scan
880 time to be included in the output you can set this to false.
881 ○ STARTTLS_SLEEP is per default set to 10 (seconds). That's the value
883 testssl waits for a string in the STARTTLS handshake before giving
884 up.
885 ○ MAX_PARALLEL is the maximum number of tests to run in parallel in
887 parallel mass testing mode. The default value of 20 may be made
888 larger on systems with faster processors.
889 ○ MAX_WAIT_TEST is the maximum time (in seconds) to wait for a single
891 test in parallel mass testing mode to complete. The default is
892 1200.
893 ○ USLEEP_SND
895 ○ USLEEP_REC -->
897 ○ HSTS_MIN is preset to 179 (days). If you want warnings sooner or
899 later for HTTP Strict Transport Security you can change this.
900 ○ HPKP_MIN is preset to 30 (days). If you want warnings sooner or
902 later for HTTP Public Key Pinning you can change this
903 ○ DAYS2WARN1 is the first threshold when you'll be warning of a cer‐
905 tificate expiration of a host, preset to 60 (days). For Let's En‐
906 crypt this value will be divided internally by 2.
907 ○ DAYS2WARN2 is the second threshold when you'll be warning of a cer‐
909 tificate expiration of a host, preset to 30 (days). For Let's En‐
910 crypt this value will be divided internally by 2.
911 ○ TESTSSL_INSTALL_DIR is the derived installation directory of
913 testssl. Relatively to that the bin and mandatory etc directory
914 will be looked for.
915 ○ CA_BUNDLES_PATH: If you have an own set of CA bundles or you want
917 to point testssl to a specific location of a CA bundle, you can use
918 this variable to set the directory which testssl will use. Please
919 note that it overrides completely the builtin path of testssl which
920 means that you will only test against the bundles you point to.
921 Also you might want to use ~/utils/create_ca_hashes.sh to create
922 the hashes for HPKP.
923 ○ MAX_SOCKET_FAIL: A number which tells testssl how often a TCP
925 socket connection may fail before the program gives up and termi‐
926 nates. The default is 2. You can increase it to a higher value if
927 you frequently see a message like Fatal error: repeated openssl
928 s_client connect problem, doesn't make sense to continue.
929 ○ MAX_OSSL_FAIL: A number which tells testssl how often an OpenSSL
931 s_client connect may fail before the program gives up and termi‐
932 nates. The default is 2. You can increase it to a higher value if
933 you frequently see a message like Fatal error: repeated TCP connect
934 problems, giving up.
935 ○ MAX_HEADER_FAIL: A number which tells testssl how often a HTTP GET
937 request over OpenSSL may return an empty file before the program
938 gives up and terminates. The default is 3. Also here you can in‐
939 crease the threshold when you spot messages like Fatal error: re‐
940 peated HTTP header connect problems, doesn't make sense to con‐
941 tinue.
942
946 testssl testssl
947 does a default run on https://testssl (protocols, standard cipher
949 lists, PFS, server preferences, server defaults, vulnerabilities, test‐
950 ing all known 370 ciphers, client simulation.
951 testssl testssl.net:443
954 does the same default run as above with the subtle difference that
958 testssl.net has two IPv4 addresses. Both are tested.
959 testssl --ip=one --wide https://testssl.net:443
962 does the same checks as above, with the difference that one IP address
966 is being picked randomly. Displayed is everything where possible in
967 wide format.
968 testssl -6 https://testssl.net
971 As opposed to the first example it also tests the IPv6 part -- supposed
975 you have an IPv6 network and your openssl supports IPv6 (see above).
976 testssl -t smtp smtp.gmail.com:25
979 Checks are done via a STARTTLS handshake on the plain text port 25. It
983 checks every IP on smtp.gmail.com.
984 testssl --starttls=imap imap.gmx.net:143
987 does the same on the plain text IMAP port.
991 Please note that for plain TLS-encrypted ports you must not specify the
993 protocol option when no STARTTLS handshake is offered: testssl
994 smtp.gmail.com:465 just checks the encryption on the SMTPS port,
995 testssl imap.gmx.net:993 on the IMAPS port. Also MongoDB which provides
996 TLS support without STARTTLS can be tested directly.
997
999 ○ RFC 2246: The TLS Protocol Version 1.0
1000 ○ RFC 2818: HTTP Over TLS
1002 ○ RFC 2595: Using TLS with IMAP, POP3 and ACAP
1004 ○ RFC 3207: SMTP Service Extension for Secure SMTP over Transport
1006 Layer Security
1007 ○ RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
1009 ○ RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
1011 ○ RFC 4366: Transport Layer Security (TLS) Extensions
1013 ○ RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for
1015 Transport Layer Security (TLS)
1016 ○ RFC 5077: Transport Layer Security (TLS) Session Resumption
1018 ○ RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
1020 ○ RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
1022 Certificate Revocation List (CRL) Profile
1023 ○ RFC 5321: Simple Mail Transfer Protocol
1025 ○ RFC 5746: Transport Layer Security (TLS) Renegotiation Indication
1027 Extension
1028 ○ RFC 6066: Transport Layer Security (TLS) Extensions: Extension Def‐
1030 initions
1031 ○ RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
1033 ○ RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
1035 ○ RFC 6125: Domain-Based Application Service Identity [..]
1037 ○ RFC 6797: HTTP Strict Transport Security (HSTS)
1039 ○ RFC 6961: The Transport Layer Security (TLS) Multiple Certificate
1041 Status Request Extension
1042 ○ RFC 7469: Public Key Pinning Extension for HTTP (HPKP)
1044 ○ RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Pre‐
1046 venting Protocol Downgrade Attacks
1047 ○ RFC 7627: Transport Layer Security (TLS) Session Hash and Extended
1049 Master Secret Extension
1050 ○ RFC 7633: X.509v3 Transport Layer Security (TLS) Feature Extension
1052 ○ RFC 7465: Prohibiting RC4 Cipher Suites
1054 ○ RFC 7685: A Transport Layer Security (TLS) ClientHello Padding Ex‐
1056 tension
1057 ○ RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Secu‐
1059 rity (TLS)
1060 ○ RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parame‐
1062 ters for Transport Layer Security
1063 ○ RFC 8143: Using Transport Layer Security (TLS) with Network News
1065 Transfer Protocol (NNTP)
1066 ○ RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
1068 ○ W3C CSP: Content Security Policy Level 1-3
1070 ○ TLSWG Draft: The Transport Layer Security (TLS) Protocol Version
1072 1.3
1073
1077 ○ 0 testssl finished successfully without errors and without ambigu‐
1078 ous results
1079 ○ 1 testssl has encountered exactly one ambiguous situation or an er‐
1081 ror during run
1082 ○ 1+n same as previous. The errors or ambiguous results are added,
1084 also per IP.
1085 ○ 50-200 reserved for returning a vulnerability scoring for system
1087 monitoring or a CI tools
1088 ○ 242 (ERR_CHILD) Child received a signal from master
1090 ○ 244 (ERR_RESOURCE) Resources testssl needs couldn't be read
1092 ○ 245 (ERR_CLUELESS) Weird state, either though user options or
1094 testssl
1095 ○ 246 (ERR_CONNECT) Connectivity problem
1097 ○ 247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names
1099 ○ 248 (ERR_OTHERCLIENT) Other client problem
1101 ○ 249 (ERR_DNSBIN) Problem with DNS lookup binaries
1103 ○ 250 (ERR_OSSLBIN) Problem with OpenSSL binary
1105 ○ 251 (ERR_NOSUPPORT) Feature requested is not supported
1107 ○ 252 (ERR_FNAMEPARSE) Input file couldn't be parsed
1109 ○ 253 (ERR_FCREATE) Output file couldn't be created
1111 ○ 254 (ERR_CMDLINE) Cmd line couldn't be parsed
1113 ○ 255 (ERR_BASH) Bash version incorrect
1115
1119 etc/*pem are the certificate stores from Apple, Linux, Mozilla Firefox,
1120 Windows and Java.
1121 etc/client-simulation.txt contains client simulation data.
1123 etc/cipher-mapping.txt provides a mandatory file with mapping from
1125 OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
1126 etc/tls_data.txt provides a mandatory file for ciphers (bash sockets)
1128 and key material.
1129
1131 Developed by Dirk Wetter, David Cooper and many others, see CREDITS.md
1132 .
1133
1135 Copyright © 2012 Dirk Wetter. License GPLv2: Free Software Foundation,
1136 Inc. This is free software: you are free to change and redistribute it
1137 under the terms of the license, see LICENSE.
1138 Attribution is important for the future of this project - also in the
1140 internet. Thus if you're offering a scanner based on testssl.sh as a
1141 public and/or paid service in the internet you are strongly encouraged
1142 to mention to your audience that you're using this program and where to
1143 get this program from. That helps us to get bugfixes, other feedback
1144 and more contributions.
1145 Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!
1147
1149 All native Windows platforms emulating Linux are known to be slow.
1150
1152 Probably. Current known ones and interface for filing new ones:
1153 https://testssl.sh/bugs/ .
1154
1156 ciphers(1), openssl(1), s_client(1), x509(1), verify(1), ocsp(1),
1157 crl(1), bash(1) and the websites https://testssl.sh/ and
1158 https://github.com/drwetter/testssl.sh/ .
1159 August 2022 TESTSSL(1)