testssl.sh/Readme.md

47 lines
3.2 KiB
Markdown
Raw Normal View History

2014-07-02 09:40:02 +02:00
## Intro
2015-01-27 23:45:51 +01:00
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
2015-04-16 21:05:23 +02:00
`testssl.sh` is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for your "is this good or bad" decision.
2014-07-02 09:40:02 +02:00
It is working on every Linux distribution out of the box with some limitations of disabled features from the openssl client -- some workarounds are done with bash-socket-based checks. It also works on BSD and other Unices out of the box, supposed they have `/bin/bash` and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2) work too. OpenSSL version >= 1 is highly recommended. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to display bit strengths for key exchanges.
2014-07-02 09:40:02 +02:00
2015-01-26 12:37:00 +01:00
On github you will find in the master branch the development version of the software -- with new features and maybe some bugs. For the stable version and a more thorough description of the software please see [testssl.sh](https://testssl.sh/ "Go to the site with the stable version and more documentation").
2015-01-16 17:16:22 +01:00
New features in the soon upcoming stable release 2.6 are:
2015-05-17 22:56:38 +02:00
2015-05-25 21:41:45 +02:00
* display matching key (HPKP)
2015-07-06 20:49:58 +02:00
* LOGJAM 1: check DHE_EXPORT cipher
* LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
2015-07-08 11:35:29 +02:00
* "wide mode" option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
* binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
* OS X binaries (@jvehent, new builds: @jpluimers)
* ARM binaries (@f-s))
2015-07-17 12:10:42 +02:00
* TLS_FALLBACK_SCSV check -- Thx @JonnyHightower
* (HTTP) proxy support! -- Thx @jnewbigin
* Extended validation certificate detection
2015-07-06 20:49:58 +02:00
* Run in default mode through all ciphers at the end of a default run
2015-07-17 12:10:42 +02:00
* will test multiple IP adresses in one shot, --ip=<adress|"one"> restricts it accordingly
* provide a --file option where testssl.sh commands are being read from -- for mass testing
2015-07-17 12:10:42 +02:00
* can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
2015-08-02 01:36:50 +02:00
* mass testing file option ``--file``, see https://twitter.com/drwetter/status/627619848344989696
* TLS time and HTTP time stamps
* TLS time displayed also for STARTTLS protocols
* support of sockets for STARTTLS protocols (with exception of SSLv2 you need to supply EXPERIMENTAL=yes)
* TLS 1.0-1.1 as socket checks per default in production
* further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
* LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
* lots of fixes, code improvements
2015-05-25 21:41:45 +02:00
2015-08-04 13:44:54 +02:00
Currently we're running 2.6rc1. means it's feature freeze and latest bugs are being squashed.
2015-05-17 22:56:38 +02:00
2015-04-16 21:05:23 +02:00
2015-08-02 01:36:50 +02:00
Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.
2015-05-29 13:37:37 +02:00
Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
2014-07-02 09:40:02 +02:00
2015-04-10 10:13:30 +02:00
Update notification here or @ [twitter](https://twitter.com/drwetter).
2014-07-02 09:40:02 +02:00