1TESTSSL(1) General Commands Manual TESTSSL(1)
2
6 testssl
7
9 testssl -- check encryption of SSL/TLS servers
10
12 testssl [OPTIONS] <URI>, testssl [OPTIONS] --file <FILE>
13 or
15 testssl [BANNER OPTIONS]
17
19 testssl is a free command line tool which checks a server's service on
20 any port for the support of TLS/SSL ciphers, protocols as well as cryp‐
21 tographic flaws and much more.
22 The output rates findings by color (screen) or severity (file output)
24 so that you are able to tell whether something is good or bad. The
25 (screen) output has several sections in which classes of checks are be‐
26 ing performed. To ease readability on the screen it aligns and indents
27 the output properly.
28 Only you see the result. You also can use it internally on your LAN.
30 Except DNS lookups or unless you instruct testssl to check for revoca‐
31 tion of certificates it doesn't use any other hosts or even third par‐
32 ties for any test.
33
35 Testssl.sh is out of the box portable: it runs under any Unix-like
36 stack: Linux, *BSD, MacOS X, WSL=Windows Subsystem for Linux, Cygwin
37 and MSYS2. bash is a prerequisite, also version 3 is still supported.
38 Standard utilities like awk, sed, tr and head are also needed. This can
39 be of a BSD, System 5 or GNU flavor whereas grep from System V is not
40 yet supported.
41 Any OpenSSL or LibreSSL version is needed as a helper. Unlike previous
43 versions of testssl almost every check is done via (TCP) sockets. In
44 addition statically linked OpenSSL binaries for major operating systems
45 are supplied in ./bin/.
46
48 testssl URI as the default invocation does the so-called default run
49 which does a number of checks and puts out the results colorized (ANSI
50 and termcap) on the screen. It does every check listed below except -E
51 which are (order of appearance):
52 0) displays a banner (see below), does a DNS lookup also for further IP
54 addresses and does for the returned IP address a reverse lookup. Last
55 but not least a service check is being done.
56 1) SSL/TLS protocol check
58 2) standard cipher categories
60 3) server's cipher preferences (server order?)
62 4) forward secrecy: ciphers and elliptical curves
64 5) server defaults (certificate info, TLS extensions, session informa‐
66 tion)
67 6) HTTP header (if HTTP detected or being forced via --assume-http)
69 7) vulnerabilities
71 8) testing each of 370 preconfigured ciphers
73 9) client simulation
75 10) rating
77
79 Options are either short or long options. Any long or short option re‐
80 quiring a value can be called with or without an equal sign. E.g.
81 testssl -t=smtp --wide --openssl=/usr/bin/openssl <URI> (short options
82 with equal sign) is equivalent to testssl --starttls smtp --wide
83 --openssl /usr/bin/openssl <URI> (long option without equal sign). Some
84 command line options can also be preset via ENV variables. WIDE=true
85 OPENSSL=/usr/bin/openssl testssl --starttls=smtp <URI> would be the
86 equivalent to the aforementioned examples. Preference has the command
87 line over any environment variables.
88 <URI> or --file <FILE> always needs to be the last parameter.
90 BANNER OPTIONS (standalone)
92 --help (or no arg) displays command line help
93 -b, --banner displays testssl banner, including license, usage condi‐
95 tions, version of testssl, detected openssl version, its path to it, #
96 of ciphers of openssl, its build date and the architecture.
97 -v, --version same as before
99 -V [pattern], --local [pattern] pretty print all local ciphers sup‐
101 ported by openssl version. If a pattern is supplied it performs a match
102 (ignore case) on any of the strings supplied in the wide output, see
103 below. The pattern will be searched in the any of the columns: hexcode,
104 cipher suite name (OpenSSL or IANA), key exchange, encryption, bits. It
105 does a word pattern match for non-numbers, for number just a normal
106 match applies. Numbers here are defined as [0-9,A-F]. This means (at‐
107 tention: catch) that the pattern CBC is matched as non-word, but AES as
108 word. This option also accepts --openssl=<path_to_openssl>.
109 INPUT PARAMETERS
111 URI can be a hostname, an IPv4 or IPv6 address (restriction see below)
112 or an URL. IPv6 addresses need to be in square brackets. For any given
113 parameter port 443 is assumed unless specified by appending a colon and
114 a port number. The only preceding protocol specifier allowed is https.
115 You need to be aware that checks for an IP address might not hit the
116 vhost you want. DNS resolution (A/AAAA record) is being performed un‐
117 less you have an /etc/hosts entry for the hostname.
118 --file <fname> or the equivalent -iL <fname> are mass testing options.
120 Per default it implicitly turns on --warnings batch. In its first in‐
121 carnation the mass testing option reads command lines from fname. fname
122 consists of command lines of testssl, one line per instance. Comments
123 after # are ignored, EOF signals the end of fname any subsequent lines
124 will be ignored too. You can also supply additional options which will
125 be inherited to each child, e.g. When invoking testssl --wide --log
126 --file <fname> . Each single line in fname is parsed upon execution. If
127 there's a conflicting option and serial mass testing option is being
128 performed the check will be aborted at the time it occurs and depending
129 on the output option potentially leaving you with an output file with‐
130 out footer. In parallel mode the mileage varies, likely a line won't be
131 scanned.
132 Alternatively fname can be in nmap's grep(p)able output format (-oG).
134 Only open ports will be considered. Multiple ports per line are al‐
135 lowed. The ports can be different and will be tested by testssl accord‐
136 ing to common practice in the internet, i.e. if nmap shows in its out‐
137 put an open port 25, automatically -t smtp will be added before the URI
138 whereas port 465 will be treated as a plain TLS/SSL port, not requiring
139 an STARTTLS SMTP handshake upfront. This is done by an internal table
140 which correlates nmap's open port detected to the STARTTLS/plain text
141 decision from testssl.
142 Nmap's output always returns IP addresses and only if there's a PTR DNS
144 record available a hostname. As it is not checked by nmap whether the
145 hostname matches the IP (A or AAAA record), testssl does this automati‐
146 cally for you. If the A record of the hostname matches the IP address,
147 the hostname is used and not the IP address. Please keep in mind that
148 checks against an IP address might not hit the vhost you maybe were
149 aiming at and thus it may lead to different results.
150 A typical internal conversion to testssl file format from nmap's
152 grep(p)able format could look like:
153 10.10.12.16:443 10.10.12.16:1443 -t smtp host.example.com:25 host.exam‐
155 ple.com:443 host.example.com:631 -t ftp 10.10.12.11:21 10.10.12.11:8443
156 Please note that fname has to be in Unix format. DOS carriage returns
157 won't be accepted. Instead of the command line switch the environment
158 variable FNAME will be honored too.
159 --mode <serial|parallel>. Mass testing to be done serial (default) or
161 parallel (--parallel is shortcut for the latter, --serial is the oppo‐
162 site option). Per default mass testing is being run in serial mode,
163 i.e. one line after the other is processed and invoked. The variable
164 MASS_TESTING_MODE can be defined to be either equal serial or parallel.
165 --warnings <batch|off>. The warnings parameter determines how testssl
167 will deal with situations where user input normally will be necessary.
168 There are two options. batch doesn't wait for a confirming keypress
169 when a client- or server-side problem is encountered. As of 3.0 it just
170 then terminates the particular scan. This is automatically chosen for
171 mass testing (--file). off just skips the warning, the confirmation but
172 continues the scan, independent whether it makes sense or not. Please
173 note that there are conflicts where testssl will still ask for confir‐
174 mation which are the ones which otherwise would have a drastic impact
175 on the results. Almost any other decision will be made in the future as
176 a best guess by testssl. The same can be achieved by setting the envi‐
177 ronment variable WARNINGS.
178 --connect-timeout <seconds> This is useful for socket TCP connections
180 to a node. If the node does not complete a TCP handshake (e.g. because
181 it is down or behind a firewall or there's an IDS or a tarpit) testssl
182 may usually hang for around 2 minutes or even much more. This parameter
183 instructs testssl to wait at most seconds for the handshake to complete
184 before giving up. This option only works if your OS has a timeout bi‐
185 nary installed. CONNECT_TIMEOUT is the corresponding environment vari‐
186 able.
187 --openssl-timeout <seconds> This is especially useful for all connects
189 using openssl and practically useful for mass testing. It avoids the
190 openssl connect to hang for ~2 minutes. The expected parameter seconds
191 instructs testssl to wait before the openssl connect will be termi‐
192 nated. The option is only available if your OS has a timeout binary in‐
193 stalled. As there are different implementations of timeout: It automat‐
194 ically calls the binary with the right parameters. OPENSSL_TIMEOUT is
195 the equivalent environment variable.
196 --basicauth <user:pass> This can be set to provide HTTP basic auth cre‐
198 dentials which are used during checks for security headers. BASICAUTH
199 is the ENV variable you can use instead.
200 --reqheader <header> This can be used to add additional HTTP request
202 headers in the correct format Headername: headercontent. This parameter
203 can be called multiple times if required. For example: --reqheader
204 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'Clien‐
205 tID: 0xDEADBEAF'. REQHEADER is the corresponding environment variable.
206 SPECIAL INVOCATIONS
208 -t <protocol>, --starttls <protocol> does a default run against a
209 STARTTLS enabled protocol. protocol must be one of ftp, smtp, pop3,
210 imap, xmpp, sieve, xmpp-server, telnet, ldap, irc, lmtp, nntp, post‐
211 gres, mysql. For the latter four you need e.g. the supplied OpenSSL or
212 OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS
213 connection, IRC currently only works with --ssl-native. irc is WIP.
214 --xmpphost <jabber_domain> is an additional option for STARTTLS enabled
216 XMPP: It expects the jabber domain as a parameter. This is only needed
217 if the domain is different from the URI supplied.
218 --mx <domain|host> tests all MX records (STARTTLS on port 25) from high
220 to low priority, one after the other.
221 --ip <ip> tests either the supplied IPv4 or IPv6 address instead of re‐
223 solving host(s) in <URI>. IPv6 addresses need to be supplied in square
224 brackets. --ip=one means: just test the first A record DNS returns
225 (useful for multiple IPs). If -6 and --ip=one was supplied an AAAA
226 record will be picked if available. The --ip option might be also use‐
227 ful if you want to resolve the supplied hostname to a different IP,
228 similar as if you would edit /etc/hosts or /c/Windows/System32/driv‐
229 ers/etc/hosts. --ip=proxy tries a DNS resolution via proxy. --ip=proxy
230 plus --nodns=min is useful for situations with no local DNS as there'll
231 be no DNS timeouts when trying to resolve CAA, TXT and MX records.
232 --proxy <host>:<port> does ANY check via the specified proxy.
234 --proxy=auto inherits the proxy setting from the environment. The host‐
235 name supplied will be resolved to the first A record. In addition if
236 you want lookups via proxy you can specify DNS_VIA_PROXY=true. OCSP re‐
237 vocation checking (-S --phone-out) is not supported by OpenSSL via
238 proxy. As supplying a proxy is an indicator for port 80 and 443 outgo‐
239 ing being blocked in your network an OCSP revocation check won't be
240 performed. However if IGN_OCSP_PROXY=true has been supplied it will be
241 tried directly. Authentication to the proxy is not supported. Proxying
242 via IPv6 addresses is not possible, no HTTPS or SOCKS proxy is sup‐
243 ported.
244 -6 does (also) IPv6 checks. Please note that testssl doesn't perform
246 checks on an IPv6 address automatically, because of two reasons:
247 testssl does no connectivity checks for IPv6 and it cannot determine
248 reliably whether the OpenSSL binary you're using has IPv6 s_client sup‐
249 port. -6 assumes both is the case. If both conditions are met and you
250 in general prefer to test for IPv6 branches as well you can add
251 HAS_IPv6 to your shell environment. Besides the OpenSSL binary supplied
252 IPv6 is known to work with vanilla OpenSSL >= 1.1.0 and older versions
253 >=1.0.2 in RHEL/CentOS/FC and Gentoo.
254 --ssl-native Instead of using a mixture of bash sockets and a few
256 openssl s_client connects, testssl uses the latter (almost) only. This
257 is faster but provides less accurate results, especially for the client
258 simulation and for cipher support. For all checks you will see a warn‐
259 ing if testssl cannot tell if a particular check cannot be performed.
260 For some checks however you might end up getting false negatives with‐
261 out a warning. Thus it is not recommended to use. It should only be
262 used if you prefer speed over accuracy or you know that your target has
263 sufficient overlap with the protocols and cipher provided by your
264 openssl binary.
265 --openssl <path_to_openssl> testssl tries very hard to find automagi‐
267 cally the binary supplied (where the tree of testssl resides, from the
268 directory where testssl has been started from, etc.). If all that
269 doesn't work it falls back to openssl supplied from the OS ($PATH).
270 With this option you can point testssl to your binary of choice and
271 override any internal magic to find the openssl binary. (Environment
272 preset via OPENSSL=<path_to_openssl>).
273 TUNING OPTIONS
275 --bugs does some workarounds for buggy servers like padding for old F5
276 devices. The option is passed as -bug to openssl when needed, see
277 s_client(1), environment preset via BUGS="-bugs" (1x dash). For the
278 socket part testssl has always workarounds in place to cope with broken
279 server implementations.
280 --assuming-http testssl normally does upfront an application protocol
282 detection. In cases where HTTP cannot be automatically detected you may
283 want to use this option. It enforces testssl not to skip HTTP specific
284 tests (HTTP header) and to run a browser based client simulation.
285 Please note that sometimes also the severity depends on the application
286 protocol, e.g. SHA1 signed certificates, the lack of any SAN matches
287 and some vulnerabilities will be punished harder when checking a web
288 server as opposed to a mail server.
289 -n, --nodns <min|none> tells testssl which DNS lookups should be per‐
291 formed. min uses only forward DNS resolution (A and AAAA record or MX
292 record) and skips CAA lookups and PTR records from the IP address back
293 to a DNS name. none performs no DNS lookups at all. For the latter you
294 either have to supply the IP address as a target, to use --ip or have
295 the IP address in /etc/hosts. The use of the switch is only useful if
296 you either can't or are not willing to perform DNS lookups. The latter
297 can apply e.g. to some pentests. In general this option could e.g. help
298 you to avoid timeouts by DNS lookups. NODNS is the environment variable
299 for this. --nodns=min plus --ip=proxy is useful for situations with no
300 local DNS as there'll be no DNS timeouts when trying to resolve CAA,
301 TXT and MX records.
302 --sneaky For HTTP header checks testssl uses normally the server
304 friendly HTTP user agent TLS tester from ${URL}. With this option your
305 traces are less verbose and a Firefox user agent is being used. Be
306 aware that it doesn't hide your activities. That is just not possible
307 (environment preset via SNEAKY=true).
308 --user-agent <user agent> tells testssl to use the supplied HTTP user
310 agent instead of the standard user agent TLS tester from ${URL}.
311 --ids-friendly is a switch which may help to get a scan finished which
313 otherwise would be blocked by a server side IDS. This switch skips
314 tests for the following vulnerabilities: Heartbleed, CCS Injection,
315 Ticketbleed and ROBOT. The environment variable OFFENSIVE set to false
316 will achieve the same result. Please be advised that as an alternative
317 or as a general approach you can try to apply evasion techniques by
318 changing the variables USLEEP_SND and / or USLEEP_REC and maybe
319 MAX_WAITSOCK.
320 --phone-out Checking for revoked certificates via CRL and OCSP is not
322 done per default. This switch instructs testssl to query external -- in
323 a sense of the current run -- URIs. By using this switch you acknowl‐
324 edge that the check might have privacy issues, a download of several
325 megabytes (CRL file) may happen and there may be network connectivity
326 problems while contacting the endpoint which testssl doesn't handle.
327 PHONE_OUT is the environment variable for this which needs to be set to
328 true if you want this.
329 --add-ca <CAfile> enables you to add your own CA(s) in PEM format for
331 trust chain checks. CAfile can be a directory containing files with a
332 .pem extension, a single file or multiple files as a comma separated
333 list of root CAs. Internally they will be added during runtime to all
334 CA stores. This is (only) useful for internal hosts whose certificates
335 are issued by internal CAs. Alternatively ADDTL_CA_FILES is the envi‐
336 ronment variable for this.
337 SINGLE CHECK OPTIONS
339 Any single check switch supplied as an argument prevents testssl from
340 doing a default run. It just takes this and if supplied other options
341 and runs them - in the order they would also appear in the default run.
342 -e, --each-cipher checks each of the (currently configured) 370 ciphers
344 via openssl + sockets remotely on the server and reports back the re‐
345 sult in wide mode. If you want to display each cipher tested you need
346 to add --show-each. Per default it lists the following parameters: hex‐
347 code, OpenSSL cipher suite name, key exchange, encryption bits,
348 IANA/RFC cipher suite name. Please note the --mapping parameter changes
349 what cipher suite names you will see here and at which position. Also
350 please note that the bit length for the encryption is shown and not the
351 security length, albeit it'll be sorted by the latter. For 3DES due to
352 the Meet-in-the-Middle problem the bit size of 168 bits is equivalent
353 to the security size of 112 bits.
354 -E, --cipher-per-proto is similar to -e, --each-cipher. It checks each
356 of the possible ciphers, here: per protocol. If you want to display
357 each cipher tested you need to add --show-each. The output is sorted by
358 security strength, it lists the encryption bits though.
359 -s, --std, --categories tests certain lists of cipher suites / cipher
361 categories by strength. (--standard is deprecated.) Those lists are
362 (openssl ciphers $LIST, $LIST from below:)
363 ○ NULL encryption ciphers: 'NULL:eNULL'
365 ○ Anonymous NULL ciphers: 'aNULL:ADH'
367 ○ Export ciphers (w/o the preceding ones): 'EXPORT:!ADH:!NULL'
369 ○ LOW (64 Bit + DES ciphers, without EXPORT ciphers):
371 'LOW:DES:RC2:RC4:MD5:!ADH:!EXP:!NULL:!eNULL:!AECDH'
372 ○ 3DES + IDEA ciphers: '3DES:IDEA:!aNULL:!ADH:!MD5'
374 ○ Obsoleted CBC ciphers: 'HIGH:MEDIUM:AES:CAMEL‐
376 LIA:ARIA:!IDEA:!CHACHA20:!3DES:!RC2:!RC4:!AESCCM8:!AESCCM:!AES‐
377 GCM:!ARIAGCM:!aNULL:!MD5'
378 ○ Strong ciphers with no FS (AEAD): 'AESGCM:CHACHA20:Camel‐
380 liaGCM:AESCCM:ARIAGCM:!kEECDH:!kEDH:!kDHE:!kDHEPSK:!kECDHEPSK:!aN‐
381 ULL'
382 ○ Forward Secrecy strong ciphers (AEAD): 'AESGCM:CHACHA20:Camel‐
384 liaGCM:AESCCM:ARIAGCM:!kPSK:!kRSAPSK:!kRSA:!kDH:!kECDH:!aNULL'
385 -f, --fs, --nsa, --forward-secrecy Checks robust forward secrecy key
389 exchange. "Robust" means that ciphers having intrinsic severe weak‐
390 nesses like Null Authentication or Encryption, 3DES and RC4 won't be
391 considered here. There shouldn't be the wrong impression that a secure
392 key exchange has been taking place and everything is fine when in real‐
393 ity the encryption sucks. Also this section lists the available ellip‐
394 tical curves and Diffie Hellman groups, as well as FFDHE groups (TLS
395 1.2 and TLS 1.3).
396 -p, --protocols checks TLS/SSL protocols SSLv2, SSLv3, TLS 1.0 through
398 TLS 1.3 and for HTTP: SPDY (NPN) and ALPN, a.k.a. HTTP/2. For TLS 1.3
399 several drafts (from 18 on) and final are supported and being tested
400 for.
401 -P, --server-preference, --preference displays the servers preferences:
403 cipher order, with used openssl client: negotiated protocol and cipher.
404 If there's a cipher order enforced by the server it displays it for
405 each protocol (openssl+sockets). If there's not, it displays instead
406 which ciphers from the server were picked with each protocol.
407 -S, --server_defaults displays information from the server hello(s):
409 ○ Available TLS extensions,
411 ○ TLS ticket + session ID information/capabilities,
413 ○ session resumption capabilities,
415 ○ Time skew relative to localhost (most server implementations return
417 random values).
418 ○ Several certificate information
420 ○ signature algorithm,
422 ○ key size,
424 ○ key usage and extended key usage,
426 ○ fingerprints and serial
428 ○ Common Name (CN), Subject Alternative Name (SAN), Issuer,
430 ○ Trust via hostname + chain of trust against supplied certificates
432 ○ EV certificate detection
434 ○ experimental "eTLS" detection
436 ○ validity: start + end time, how many days to go (warning for cer‐
438 tificate lifetime >=5 years)
439 ○ revocation info (CRL, OCSP, OCSP stapling + must staple). When
441 --phone-out supplied it checks against the certificate issuer
442 whether the host certificate has been revoked (plain OCSP, CRL).
443 ○ displaying DNS Certification Authority Authorization resource
445 record
446 ○ Certificate Transparency info (if provided by server).
448 For the trust chain check 5 certificate stores are provided. If the
455 test against one of the trust stores failed, the one is being identi‐
456 fied and the reason for the failure is displayed - in addition the ones
457 which succeeded are displayed too. You can configure your own CA via
458 ADDTL_CA_FILES, see section FILES below. If the server provides no
459 matching record in Subject Alternative Name (SAN) but in Common Name
460 (CN), it will be indicated as this is deprecated. Also for multiple
461 server certificates are being checked for as well as for the certifi‐
462 cate reply to a non-SNI (Server Name Indication) client hello to the IP
463 address. Regarding the TLS clock skew: it displays the time difference
464 to the client. Only a few TLS stacks nowadays still support this and
465 return the local clock gmt_unix_time, e.g. IIS, openssl < 1.0.1f. In
466 addition to the HTTP date you could e.g. derive that there are differ‐
467 ent hosts where your TLS and your HTTP request ended -- if the time
468 deltas differ significantly.
469 -x <pattern>, --single-cipher <pattern> tests matched pattern of ci‐
471 phers against a server. Patterns are similar to -V pattern , --local
472 pattern, see above about matching.
473 -h, --header, --headers if the service is HTTP (either by detection or
475 by enforcing via --assume-http. It tests several HTTP headers like
476 ○ HTTP Strict Transport Security (HSTS)
478 ○ HTTP Public Key Pinning (HPKP)
480 ○ Server banner
482 ○ HTTP date+time
484 ○ Server banner like Linux or other Unix vendor headers
486 ○ Application banner (PHP, RoR, OWA, SharePoint, Wordpress, etc)
488 ○ Reverse proxy headers
490 ○ Web server modules
492 ○ IPv4 address in header
494 ○ Cookie (including Secure/HTTPOnly flags)
496 ○ Decodes BIG IP F5 non-encrypted cookies
498 ○ Security headers (X-Frame-Options, X-XSS-Protection, Expect-CT,...
500 , CSP headers). Nonsense is not yet detected here.
501 -c, --client-simulation This simulates a handshake with a number of
505 standard clients so that you can figure out which client cannot or can
506 connect to your site. For the latter case the protocol, cipher and
507 curve is displayed, also if there's Forward Secrecy. testssl uses a
508 handselected set of clients which are retrieved by the SSLlabs API. The
509 output is aligned in columns when combined with the --wide option. If
510 you want the full nine yards of clients displayed use the environment
511 variable ALL_CLIENTS.
512 -g, --grease checks several server implementation bugs like tolerance
514 to size limitations and GREASE, see RFC 8701. This check doesn't run
515 per default.
516 VULNERABILITIES
518 -U, --vulnerable, --vulnerabilities Just tests all (of the following)
519 vulnerabilities. The environment variable VULN_THRESHLD determines af‐
520 ter which value a separate headline for each vulnerability is being
521 displayed. Default is 1 which means if you check for two vulnerabili‐
522 ties, only the general headline for vulnerabilities section is dis‐
523 played -- in addition to the vulnerability and the result. Otherwise
524 each vulnerability or vulnerability section gets its own headline in
525 addition to the output of the name of the vulnerability and test re‐
526 sult. A vulnerability section is comprised of more than one check, e.g.
527 the renegotiation vulnerability check has two checks, so has Logjam.
528 -H, --heartbleed Checks for Heartbleed, a memory leakage in openssl.
530 Unless the server side doesn't support the heartbeat extension it is
531 likely that this check runs into a timeout. The seconds to wait for a
532 reply can be adjusted with HEARTBLEED_MAX_WAITSOCK. 8 is the default.
533 -I, --ccs, --ccs-injection Checks for CCS Injection which is an openssl
535 vulnerability. Sometimes also here the check needs to wait for a reply.
536 The predefined timeout of 5 seconds can be changed with the environment
537 variable CCS_MAX_WAITSOCK.
538 -T, --ticketbleed Checks for Ticketbleed memory leakage in BigIP load‐
540 balancers.
541 --BB, --robot Checks for vulnerability to ROBOT / (Return Of Bleichen‐
543 bacher's Oracle Threat) attack.
544 --SI, --starttls-injection Checks for STARTTLS injection vulnerabili‐
546 ties (SMTP, IMAP, POP3 only). socat and OpenSSL >=1.1.0 is needed.
547 -R, --renegotiation Tests renegotiation vulnerabilities. Currently
549 there's a check for Secure Renegotiation and for Secure Client-Initi‐
550 ated Renegotiation. Please be aware that vulnerable servers to the lat‐
551 ter can likely be DoSed very easily (HTTP). A check for Insecure
552 Client-Initiated Renegotiation is not yet implemented.
553 -C, --compression, --crime Checks for CRIME (Compression Ratio
555 Info-leak Made Easy) vulnerability in TLS. CRIME in SPDY is not yet be‐
556 ing checked for.
557 -B, --breach Checks for BREACH (Browser Reconnaissance and Exfiltration
559 via Adaptive Compression of Hypertext) vulnerability. As for this vul‐
560 nerability HTTP level compression is a prerequisite it'll be not tested
561 if HTTP cannot be detected or the detection is not enforced via --as‐
562 sume-http. Please note that only the URL supplied (normally "/" ) is
563 being tested.
564 -O, --poodle Tests for SSL POODLE (Padding Oracle On Downgraded Legacy
566 Encryption) vulnerability. It basically checks for the existence of CBC
567 ciphers in SSLv3.
568 -Z, --tls-fallback Checks TLS_FALLBACK_SCSV mitigation. TLS_FALL‐
570 BACK_SCSV is basically a ciphersuite appended to the Client Hello try‐
571 ing to prevent protocol downgrade attacks by a Man in the Middle.
572 -W, --sweet32 Checks for vulnerability to SWEET32 by testing 64 bit
574 block ciphers (3DES, RC2 and IDEA).
575 -F, --freak Checks for FREAK vulnerability (Factoring RSA Export Keys)
577 by testing for EXPORT RSA ciphers
578 -D, --drown Checks for DROWN vulnerability (Decrypting RSA with Obso‐
580 lete and Weakened eNcryption) by checking whether the SSL 2 protocol is
581 available at the target. Please note that if you use the same RSA cer‐
582 tificate elsewhere you might be vulnerable too. testssl doesn't check
583 for this but provides a helpful link @ censys.io which provides this
584 service.
585 -J, --logjam Checks for LOGJAM vulnerability by checking for DH EXPORT
587 ciphers. It also checks for "common primes" which are preconfigured DH
588 keys. DH keys =< 1024 Bit will be penalized. Also FFDHE groups (TLS
589 1.2) will be displayed here.
590 -A, --beast Checks BEAST vulnerabilities in SSL 3 and TLS 1.0 by test‐
592 ing the usage of CBC ciphers.
593 -L, --lucky13 Checks for LUCKY13 vulnerability. It checks for the pres‐
595 ence of CBC ciphers in TLS versions 1.0 - 1.2.
596 -WS, --winshock Checks for Winshock vulnerability. It tests for the ab‐
598 sence of a lot of ciphers, some TLS extensions and ec curves which were
599 introduced later in Windows. In the end the server banner is being
600 looked at.
601 -4, --rc4, --appelbaum Checks which RC4 stream ciphers are being of‐
603 fered.
604 OUTPUT OPTIONS
606 -q, --quiet Normally testssl displays a banner on stdout with several
607 version information, usage rights and a warning. This option suppresses
608 it. Please note that by choosing this option you acknowledge usage
609 terms and the warning normally appearing in the banner.
610 --wide Except the "each cipher output" all tests displays the single
612 cipher name (scheme see below). This option enables testssl to display
613 also for the following sections the same output as for testing each ci‐
614 phers: BEAST, FS, RC4. The client simulation has also a wide mode. The
615 difference here is restricted to a column aligned output and a proper
616 headline. The environment variable WIDE can be used instead.
617 --mapping <openssl|iana|no-openssl|no-iana>
619 ○ openssl: use the OpenSSL cipher suite name as the primary name ci‐
621 pher suite name form (default),
622 ○ iana: use the IANA cipher suite name as the primary name cipher
624 suite name form.
625 ○ no-openssl: don't display the OpenSSL cipher suite name, display
627 IANA names only.
628 ○ no-iana: don't display the IANA cipher suite name, display OpenSSL
630 names only.
631 Please note that in testssl 3.0 you can still use rfc instead of iana
635 and no-rfc instead of no-iana but it'll disappear after 3.0.
636 --show-each This is an option for all wide modes only: it displays all
638 ciphers tested -- not only succeeded ones. SHOW_EACH_C is your friend
639 if you prefer to set this via the shell environment.
640 --color <0|1|2|3> determines the use of colors on the screen and in the
642 log file: 2 is the default and makes use of ANSI and termcap escape
643 codes on your terminal. 1 just uses non-colored mark-up like bold,
644 italics, underline, reverse. 0 means no mark-up at all = no escape
645 codes. This is also what you want when you want a log file without any
646 escape codes. 3 will color ciphers and EC according to an internal (not
647 yet perfect) rating. Setting the environment variable COLOR to the
648 value achieves the same result. Please not that OpenBSD and early Free‐
649 BSD do not support italics.
650 --colorblind Swaps green and blue colors in the output, so that this
652 percentage of folks (up to 8% of males, see
653 https://en.wikipedia.org/wiki/Color_blindness) can distinguish those
654 findings better. COLORBLIND is the according variable if you want to
655 set this in the environment.
656 --debug <0-6> This gives you additional output on the screen (2-6),
658 only useful for debugging. DEBUG is the according environment variable
659 which you can use. There are six levels (0 is the default, thus it has
660 no effect):
661 1. screen output normal but leaves useful debug output in
663 /tmp/testssl.XXXXXX/ . The info about the exact directory is in‐
664 cluded in the screen output in the end of the run.
665 2. lists more what's going on, status (high level) and connection er‐
667 rors, a few general debug output
668 3. even slightly more info: hexdumps + other info
670 4. display bytes sent via sockets
672 5. display bytes received via sockets
674 6. whole 9 yards
676 --disable-rating disables rating. Rating automatically gets disabled,
680 to not give a wrong or misleading grade, when not all required func‐
681 tions are executed (e.g when checking for a single vulnerabilities).
682 FILE OUTPUT OPTIONS
684 --log, --logging Logs stdout also to ${NODE}-p${port}${YYYYM‐
685 MDD-HHMM}.log in current working directory of the shell. Depending on
686 the color output option (see above) the output file will contain color
687 and other markup escape codes, unless you specify --color 0 too. cat
688 and -- if properly configured less -- will show the output properly
689 formatted on your terminal. The output shows a banner with the almost
690 the same information as on the screen. In addition it shows the command
691 line of the testssl instance. Please note that the resulting log file
692 is formatted according to the width of your screen while running
693 testssl. You can override the width with the environment variable
694 TERM_WIDTH.
695 --logfile <logfile> or -oL <logfile> Instead of the previous option you
697 may want to use this one if you want to log into a directory or if you
698 rather want to specify the log file name yourself. If logfile is a di‐
699 rectory the output will put into logfile/${NODE}-p${port}${YYYYM‐
700 MDD-HHMM}.log. If logfile is a file it will use that file name, an ab‐
701 solute path is also permitted here. LOGFILE is the variable you need to
702 set if you prefer to work environment variables instead. Please note
703 that the resulting log file is formatted according to the width of your
704 screen while running testssl. You can override the width with the envi‐
705 ronment variable TERM_WIDTH.
706 --json Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
708 MDD-HHMM}.json in the current working directory of the shell. The re‐
709 sulting JSON file is opposed to --json-pretty flat -- which means each
710 section is self contained and has an identifier for each single check,
711 the hostname/IP address, the port, severity and the finding. For vul‐
712 nerabilities it may contain a CVE and CWE entry too. The output doesn't
713 contain a banner or a footer.
714 --jsonfile <jsonfile> or -oj <jsonfile> Instead of the previous option
716 you may want to use this one if you want to log the JSON out put into a
717 directory or if you rather want to specify the log file name yourself.
718 If jsonfile is a directory the output will put into log‐
719 file/${NODE}-p${port}${YYYYMMDD-HHMM}.json. Ifjsonfile is a file it
720 will use that file name, an absolute path is also permitted here.
721 --json-pretty Logs additionally to JSON file ${NODE}-p${port}${YYYYM‐
723 MDD-HHMM}.json in the current working directory of the shell. The re‐
724 sulting JSON file is opposed to --json non-flat -- which means it is
725 structured. The structure contains a header similar to the banner on
726 the screen, including the command line, scan host, openssl binary used,
727 testssl version and epoch of the start time. Then for every test sec‐
728 tion of testssl it contains a separate JSON object/section. Each find‐
729 ing has a key/value pair identifier with the identifier for each single
730 check, the severity and the finding. For vulnerabilities it may contain
731 a CVE and CWE entry too. The footer lists the scan time in seconds.
732 --jsonfile-pretty <jsonfile> or -oJ <jsonfile> Similar to the aforemen‐
734 tioned --jsonfile or --logfile it logs the output in pretty JSON format
735 (see --json-pretty) into a file or a directory. For further explanation
736 see --jsonfile or --logfile.
737 --csv Logs additionally to a CSV file ${NODE}-p${port}${YYYYM‐
739 MDD-HHMM}.csv in the current working directory of the shell. The output
740 contains a header with the keys, the values are the same as in the flat
741 JSON format (identifier for each single check, the hostname/IP address,
742 the port, severity, the finding and for vulnerabilities a CVE and CWE
743 number).
744 --csvfile <csvfile> or -oC <csvfile> Similar to the aforementioned
746 --jsonfile or --logfile it logs the output in CSV format (see --cvs)
747 additionally into a file or a directory. For further explanation see
748 --jsonfile or --logfile.
749 --html Logs additionally to an HTML file ${NODE}-p${port}${YYYYM‐
751 MDD-HHMM}.html in the current working directory of the shell. It con‐
752 tains a 1:1 output of the console. In former versions there was a
753 non-native option to use "aha" (Ansi HTML Adapter:
754 github.com/theZiz/aha) like testssl [options] <URI> | aha >output.html.
755 This is not necessary anymore.
756 --htmlfile <htmlfile> or -oH <htmlfile> Similar to the aforementioned
758 --jsonfile or --logfile it logs the output in HTML format (see --html)
759 additionally into a file or a directory. For further explanation see
760 --jsonfile or --logfile.
761 -oA <filename> / --outFile <filename> Similar to nmap it does a file
763 output to all available file formats: LOG, JSON pretty, CSV, HTML. If
764 the filename supplied is equal auto the filename is automatically gen‐
765 erated using '${NODE}-p${port}${YYYYMMDD-HHMM}.${EXT}' with the accord‐
766 ing extension. If a directory is provided all output files will put
767 into <filename>/${NODE}-p${port}${YYYYMMDD-HHMM}.{log,json,csv,html}.
768 -oa <filename> / --outfile <filename> Does the same as the previous op‐
770 tion but uses flat JSON instead.
771 --hints This option is not in use yet. This option is meant to give
773 hints how to fix a finding or at least a help to improve something.
774 GIVE_HINTS is the environment variable for this.
775 --severity <severity> For CSV and both JSON outputs this will only add
777 findings to the output file if a severity is equal or higher than the
778 severity value specified. Allowed are <LOW|MEDIUM|HIGH|CRITICAL>. WARN
779 is another level which translates to a client-side scanning error or
780 problem. Thus you will always see them in a file if they occur.
781 --append Normally, if an output file already exists and it has a file
783 size greater zero, testssl will prompt you to manually remove the file
784 and exit with an error. --append however will append to this file,
785 without a header. The environment variable APPEND does the same. Be
786 careful using this switch/variable. A complementary option which over‐
787 writes an existing file doesn't exist per design.
788 --overwrite Normally, if an output file already exists and it has a
790 file size greater zero, testssl will not allow you to overwrite this
791 file. This option will do that without any warning. The environment
792 variable OVERWRITE does the same. Be careful, you have been warned!
793 --outprefix <fname_prefix> Prepend output filename prefix fname_prefix
795 before ${NODE}-. You can use as well the environment variable
796 FNAME_PREFIX. Using this any output files will be named <fname_pre‐
797 fix>-${NODE}-p${port}${YYYYMMDD-HHMM}.<format> when no file name of the
798 respective output option was specified. If you do not like the separa‐
799 tor '-' you can as well supply a <fname_prefix> ending in '.', '_' or
800 ','. In this case or if you already supplied '-' no additional '-' will
801 be appended to <fname_prefix>.
802 A few file output options can also be preset via environment variables.
804 COLOR RATINGS
806 Testssl.sh makes use of (the eight) standard terminal colors. The color
807 scheme is as follows:
808 ○ light red: a critical finding
810 ○ red: a high finding
812 ○ brown: a medium finding
814 ○ yellow: a low finding
816 ○ green (blue if COLORBLIND is set): something which is either in
818 general a good thing or a negative result of a check which other‐
819 wise results in a high finding
820 ○ light green (light blue if COLORBLIND is set) : something which is
822 either in general a very good thing or a negative result of a check
823 which otherwise results in a critical finding
824 ○ no color at places where also a finding can be expected: a finding
826 on an info level
827 ○ cyan: currently only used for --show-each or an additional hint
829 ○ magenta: signals a warning condition, e.g. either a local lack of
831 capabilities on the client side or another problem
832 ○ light magenta: a fatal error which either requires strict consent
834 from the user to continue or a condition which leaves no other
835 choice for testssl to quit
836 What is labeled as "light" above appears as such on the screen but is
840 technically speaking "bold". Besides --color=3 will color ciphers ac‐
841 cording to an internal and rough rating.
842 Markup (without any color) is used in the following manner:
844 ○ bold: for the name of the test
846 ○ underline + bold: for the headline of each test section
848 ○ underline: for a sub-headline
850 ○ italics: for strings just reflecting a value read from the server
852 TUNING via ENV variables and more options
856 Except the environment variables mentioned above which can replace com‐
857 mand line options here a some which cannot be set otherwise. Variables
858 used for tuning are preset with reasonable values. There should be no
859 reason to change them unless you use testssl under special conditions.
860 ○ TERM_WIDTH is a variable which overrides the auto-determined termi‐
862 nal width size. Setting this variable normally only makes sense if
863 you log the output to a file using the --log, --logfile or -oL op‐
864 tion.
865 ○ DEBUG_ALLINONE / SETX: when setting one of those to true testssl
867 falls back to the standard bash behavior, i.e. calling bash -x
868 testssl it displays the bash debugging output not in an external
869 file /tmp/testssl-<XX>.log
870 ○ DEBUGTIME: Profiling option. When using bash's debug mode and when
872 this is set to true, it generates a separate text file with epoch
873 times in /tmp/testssl-<XX>.time. They need to be concatenated by
874 paste /tmp/testssl-<XX>.{time,log} [comment]: # * FAST_SOCKET [com‐
875 ment]: # * SHOW_SIGALGO [comment]: # * FAST
876 ○ EXPERIMENTAL=true is an option which is sometimes used in the de‐
878 velopment process to make testing easier. In released versions this
879 has no effect.
880 ○ ALL_CLIENTS=true runs a client simulation with all (currently 126)
882 clients when testing HTTP.
883 ○ UNBRACKTD_IPV6: needs to be set to true for some old versions of
885 OpenSSL (like from Gentoo) which don't support [bracketed] IPv6 ad‐
886 dresses
887 ○ NO_ENGINE: if you have problems with garbled output containing the
889 word 'engine' you might want to set this to true. It forces testssl
890 not try to configure openssl's engine or a non existing one from
891 libressl
892 ○ HEADER_MAXSLEEP: To wait how long before killing the process to re‐
894 trieve a service banner / HTTP header
895 ○ MAX_WAITSOCK: It instructs testssl to wait until the specified time
897 before declaring a socket connection dead. Don't change this unless
898 you're absolutely sure what you're doing. Value is in seconds.
899 ○ CCS_MAX_WAITSOCK Is the similar to above but applies only to the
901 CCS handshakes, for both of the two the two CCS payload. Don't
902 change this unless you're absolutely sure what you're doing. Value
903 is in seconds.
904 ○ HEARTBLEED_MAX_WAITSOCK Is the similar to MAX_WAITSOCK but applies
906 only to the ServerHello after sending the Heartbleed payload. Don't
907 change this unless you're absolutely sure what you're doing. Value
908 is in seconds.
909 ○ MEASURE_TIME_FILE For seldom cases when you don't want the scan
911 time to be included in the output you can set this to false.
912 ○ STARTTLS_SLEEP is per default set to 10 (seconds). That's the value
914 testssl waits for a string in the STARTTLS handshake before giving
915 up.
916 ○ MAX_PARALLEL is the maximum number of tests to run in parallel in
918 parallel mass testing mode. The default value of 20 may be made
919 larger on systems with faster processors.
920 ○ MAX_WAIT_TEST is the maximum time (in seconds) to wait for a single
922 test in parallel mass testing mode to complete. The default is
923 1200. [comment]: # USLEEP_SND [comment]: # USLEEP_REC
924 ○ HSTS_MIN is preset to 179 (days). If you want warnings sooner or
926 later for HTTP Strict Transport Security you can change this.
927 ○ HPKP_MIN is preset to 30 (days). If you want warnings sooner or
929 later for HTTP Public Key Pinning you can change this
930 ○ DAYS2WARN1 is the first threshold when you'll be warning of a cer‐
932 tificate expiration of a host, preset to 60 (days). For Let's En‐
933 crypt this value will be divided internally by 2.
934 ○ DAYS2WARN2 is the second threshold when you'll be warning of a cer‐
936 tificate expiration of a host, preset to 30 (days). For Let's En‐
937 crypt this value will be divided internally by 2.
938 ○ TESTSSL_INSTALL_DIR is the derived installation directory of
940 testssl. Relatively to that the bin and mandatory etc directory
941 will be looked for.
942 ○ CA_BUNDLES_PATH: If you have an own set of CA bundles or you want
944 to point testssl to a specific location of a CA bundle, you can use
945 this variable to set the directory which testssl will use. Please
946 note that it overrides completely the builtin path of testssl which
947 means that you will only test against the bundles you point to.
948 Also you might want to use ~/utils/create_ca_hashes.sh to create
949 the hashes for HPKP.
950 ○ MAX_SOCKET_FAIL: A number which tells testssl how often a TCP
952 socket connection may fail before the program gives up and termi‐
953 nates. The default is 2. You can increase it to a higher value if
954 you frequently see a message like Fatal error: repeated openssl
955 s_client connect problem, doesn't make sense to continue.
956 ○ MAX_OSSL_FAIL: A number which tells testssl how often an OpenSSL
958 s_client connect may fail before the program gives up and termi‐
959 nates. The default is 2. You can increase it to a higher value if
960 you frequently see a message like Fatal error: repeated TCP connect
961 problems, giving up.
962 ○ MAX_HEADER_FAIL: A number which tells testssl how often a HTTP GET
964 request over OpenSSL may return an empty file before the program
965 gives up and terminates. The default is 3. Also here you can in‐
966 crease the threshold when you spot messages like Fatal error: re‐
967 peated HTTP header connect problems, doesn't make sense to con‐
968 tinue.
969 RATING
973 This program has a near-complete implementation of SSL Labs's 'SSL
974 Server Rating Guide https://github.com/ssllabs/re‐
975 search/wiki/SSL-Server-Rating-Guide'.
976 This is not a 100% reimplementation of the SSL Lab's SSL Server Test
978 https://www.ssllabs.com/ssltest/analyze.html, but an implementation of
979 the above rating specification, slight discrepancies may occur. Please
980 note that for now we stick to the SSL Labs rating as good as possible.
981 We are not responsible for their rating. Before filing issues please
982 inspect their Rating Guide.
983 Disclaimer: Having a good grade is NOT necessarily equal to having good
985 security! Don't start a competition for the best grade, at least not
986 without monitoring the client handshakes and not without adding a por‐
987 tion of good sense to it. Please note STARTTLS always results in a
988 grade cap to T. Anything else would lead to a false sense of security -
989 at least until we test for DANE or MTA-STS.
990 As of writing, these checks are missing: * GOLDENDOODLE - should be
992 graded F if vulnerable * Insecure renegotiation - should be graded F if
993 vulnerable * Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) -
994 should be graded F if vulnerable * Sleeping POODLE - should be graded F
995 if vulnerable * Zero Length Padding Oracle (CVE-2019-1559) - should be
996 graded F if vulnerable * Zombie POODLE - should be graded F if vulnera‐
997 ble * All remaining old Symantec PKI certificates are distrusted -
998 should be graded T * Symantec certificates issued before June 2016 are
999 distrusted - should be graded T * Anonymous key exchange - should give
1000 0 points in set_key_str_score() * Exportable key exchange - should give
1001 40 points in set_key_str_score() * Weak key (Debian OpenSSL Flaw) -
1002 should give 0 points in set_key_str_score()
1003 To implement a new grading cap, simply call the set_grade_cap() func‐
1005 tion, with the grade and a reason: bash set_grade_cap "D" "Vulnerable
1006 to documentation" To implement a new grade warning, simply call the
1007 set_grade_warning() function, with a message: bash set_grade_warning
1008 "Documentation is always right" #### Implementing a new check which
1009 contains grade caps When implementing a new check (be it vulnerability
1010 or not) that sets grade caps, the set_rating_state() has to be updated
1011 (i.e. the $do_mycheck variable-name has to be added to the loop, and
1012 $nr_enabled if-statement has to be incremented)
1013 The set_rating_state() automatically disables rating, if all the re‐
1015 quired checks are not enabled. This is to prevent giving out a mislead‐
1016 ing or wrong grade.
1017 When a new revision of the rating specification comes around, the fol‐
1019 lowing has to be done: * New grade caps has to be either: 1. Added to
1020 the script wherever relevant, or 2. Added to the above list of missing
1021 checks (if above is not possible) * New grade warnings has to be added
1022 wherever relevant * The revision output in run_rating() function has to
1023 updated
1024
1026 testssl testssl
1027 does a default run on https://testssl (protocols, standard cipher
1029 lists, server's cipher preferences, forward secrecy, server defaults,
1030 vulnerabilities, client simulation, and rating.
1031 testssl testssl.net:443
1034 does the same default run as above with the subtle difference that
1038 testssl.net has two IPv4 addresses. Both are tested.
1039 testssl --ip=one --wide https://testssl.net:443
1042 does the same checks as above, with the difference that one IP address
1046 is being picked randomly. Displayed is everything where possible in
1047 wide format.
1048 testssl -6 https://testssl.net
1051 As opposed to the first example it also tests the IPv6 part -- supposed
1055 you have an IPv6 network and your openssl supports IPv6 (see above).
1056 testssl -t smtp smtp.gmail.com:25
1059 Checks are done via a STARTTLS handshake on the plain text port 25. It
1063 checks every IP on smtp.gmail.com.
1064 testssl --starttls=imap imap.gmx.net:143
1067 does the same on the plain text IMAP port.
1071 Please note that for plain TLS-encrypted ports you must not specify the
1073 protocol option when no STARTTLS handshake is offered: testssl
1074 smtp.gmail.com:465 just checks the encryption on the SMTPS port,
1075 testssl imap.gmx.net:993 on the IMAPS port. Also MongoDB which provides
1076 TLS support without STARTTLS can be tested directly.
1077
1079 ○ RFC 2246: The TLS Protocol Version 1.0
1080 ○ RFC 2595: Using TLS with IMAP, POP3 and ACAP
1082 ○ RFC 2818: HTTP Over TLS
1084 ○ RFC 2830: Lightweight Directory Access Protocol (v3): Extension for
1086 Transport Layer Security
1087 ○ RFC 3207: SMTP Service Extension for Secure SMTP over Transport
1089 Layer Security
1090 ○ RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
1092 ○ RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
1094 ○ RFC 4366: Transport Layer Security (TLS) Extensions
1096 ○ RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for
1098 Transport Layer Security (TLS)
1099 ○ RFC 5077: Transport Layer Security (TLS) Session Resumption
1101 ○ RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
1103 ○ RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
1105 Certificate Revocation List (CRL) Profile
1106 ○ RFC 5321: Simple Mail Transfer Protocol
1108 ○ RFC 5746: Transport Layer Security (TLS) Renegotiation Indication
1110 Extension
1111 ○ RFC 5804: A Protocol for Remotely Managing Sieve Scripts
1113 ○ RFC 6066: Transport Layer Security (TLS) Extensions: Extension Def‐
1115 initions
1116 ○ RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0
1118 ○ RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core
1120 ○ RFC 6125: Domain-Based Application Service Identity [..]
1122 ○ RFC 6797: HTTP Strict Transport Security (HSTS)
1124 ○ RFC 6961: The Transport Layer Security (TLS) Multiple Certificate
1126 Status Request Extension
1127 ○ RFC 7469: Public Key Pinning Extension for HTTP (HPKP)
1129 ○ RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Pre‐
1131 venting Protocol Downgrade Attacks
1132 ○ RFC 7627: Transport Layer Security (TLS) Session Hash and Extended
1134 Master Secret Extension
1135 ○ RFC 7633: X.509v3 Transport Layer Security (TLS) Feature Extension
1137 ○ RFC 7465: Prohibiting RC4 Cipher Suites
1139 ○ RFC 7685: A Transport Layer Security (TLS) ClientHello Padding Ex‐
1141 tension
1142 ○ RFC 7905: ChaCha20-Poly1305 Cipher Suites for Transport Layer Secu‐
1144 rity (TLS)
1145 ○ RFC 7919: Negotiated Finite Field Diffie-Hellman Ephemeral Parame‐
1147 ters for Transport Layer Security
1148 ○ RFC 8143: Using Transport Layer Security (TLS) with Network News
1150 Transfer Protocol (NNTP)
1151 ○ RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
1153 ○ RFC 8701: Applying Generate Random Extensions And Sustain Extensi‐
1155 bility (GREASE) to TLS Extensibility
1156 ○ W3C CSP: Content Security Policy Level 1-3
1158 ○ TLSWG Draft: The Transport Layer Security (TLS) Protocol Version
1160 1.3
1161
1165 ○ 0 testssl finished successfully without errors and without ambigu‐
1166 ous results
1167 ○ 1 testssl has encountered exactly one ambiguous situation or an er‐
1169 ror during run
1170 ○ 1+n same as previous. The errors or ambiguous results are added,
1172 also per IP.
1173 ○ 50-200 reserved for returning a vulnerability scoring for system
1175 monitoring or a CI tools
1176 ○ 242 (ERR_CHILD) Child received a signal from master
1178 ○ 244 (ERR_RESOURCE) Resources testssl needs couldn't be read
1180 ○ 245 (ERR_CLUELESS) Weird state, either though user options or
1182 testssl
1183 ○ 246 (ERR_CONNECT) Connectivity problem
1185 ○ 247 (ERR_DNSLOOKUP) Problem with resolving IP addresses or names
1187 ○ 248 (ERR_OTHERCLIENT) Other client problem
1189 ○ 249 (ERR_DNSBIN) Problem with DNS lookup binaries
1191 ○ 250 (ERR_OSSLBIN) Problem with OpenSSL binary
1193 ○ 251 (ERR_NOSUPPORT) Feature requested is not supported
1195 ○ 252 (ERR_FNAMEPARSE) Input file couldn't be parsed
1197 ○ 253 (ERR_FCREATE) Output file couldn't be created
1199 ○ 254 (ERR_CMDLINE) Cmd line couldn't be parsed
1201 ○ 255 (ERR_BASH) Bash version incorrect
1203
1207 etc/*pem are the certificate stores from Apple, Linux, Mozilla Firefox,
1208 Windows and Java.
1209 etc/client-simulation.txt contains client simulation data.
1211 etc/cipher-mapping.txt provides a mandatory file with mapping from
1213 OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
1214 etc/tls_data.txt provides a mandatory file for ciphers (bash sockets)
1216 and key material.
1217
1219 Developed by Dirk Wetter, David Cooper and many others, see CREDITS.md
1220 .
1221
1223 Copyright © 2012 Dirk Wetter. License GPLv2: Free Software Foundation,
1224 Inc. This is free software: you are free to change and redistribute it
1225 under the terms of the license, see LICENSE.
1226 Attribution is important for the future of this project - also in the
1228 internet. Thus if you're offering a scanner based on testssl.sh as a
1229 public and/or paid service in the internet you are strongly encouraged
1230 to mention to your audience that you're using this program and where to
1231 get this program from. That helps us to get bugfixes, other feedback
1232 and more contributions.
1233 Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!
1235
1237 All native Windows platforms emulating Linux are known to be slow.
1238
1240 Probably. Current known ones and interface for filing new ones:
1241 https://testssl.sh/bugs/ .
1242
1244 ciphers(1), openssl(1), s_client(1), x509(1), verify(1), ocsp(1),
1245 crl(1), bash(1) and the websites https://testssl.sh/ and
1246 https://github.com/drwetter/testssl.sh/ .
1247 December 2021 TESTSSL(1)