From 5433272e2a1f1a6a81019acc028248a269b8d104 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 29 Aug 2014 15:03:55 +0200 Subject: [PATCH] --- README.html | 160 ---------------------------------------------------- 1 file changed, 160 deletions(-) delete mode 100755 README.html diff --git a/README.html b/README.html deleted file mode 100755 index 9ce61d8..0000000 --- a/README.html +++ /dev/null @@ -1,160 +0,0 @@ -
-testssl.sh is a free Unix command line tool which checks a server's service -on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. -It's designed to provide clear output for a "is this good or bad" decision. - -

-Standard call: testssl.sh <hostname> -It is working on every Linux distribution which has OpenSSL installed. As for security reasons some distributors -outphase the buggy stuff – and this is exactly you want to check for – it's recommended to compile OpenSSL by -yourself or check out the OpenSSL binaries below (Linux). You will get a warning though if your OpenSSL client -cannot perform a specific check, see below. - -
-
-testssl.sh is portable, it is supposed to work on -any other Unix system (preferably with GNU tools) and on cygwin, supposed it can find the OpenSSL binary. - -

-New features - - -

-

- -Calling - -

-Starting testssl.sh with no params will give you a clue how to use it: - -check each ciphers per protocol -
userid@somehost:~ % testssl.sh
-
-testssl.sh <options> URI
-
-where <options> is one of
-
-        <-h|--help>                 what you're looking at
-        <-b|--banner>               displays banner + version
-        <-v|--version>              same as above
-	<-V|--local>                pretty print all local ciphers
-	<-V|--local> <hexcode>      what cipher is <pattern hexcode>?
-
-        <-e|--each-cipher>          check each local ciphers remotely 
-        <-E|-ee|--cipher-per-proto> check those per protocol
-        <-f|--ciphers>              check cipher suites
-        <-p|--protocols>            check TLS/SSL protocols only
-        <-P|--preference>           displays the servers picks: protocol+cipher
-        <-y|--spdy>                 checks for SPDY/NPN
-        <-B|--heartbleed>           tests only for heartbleed vulnerability
-        <-I|--ccs|--ccs_injection>  tests only for CCS injection vulnerability
-        <-R|--renegotiation>        tests only for renegotiation vulnerability
-        <-C|--crime>                tests only for CRIME vulnerability
-	<-T|--breach>               tests only for BREACH vulnerability
-        <-s|--pfs|--fs|--nsa>       checks (perfect) forward secrecy settings
-        <-4|--rc4|--appelbaum>      which RC4 ciphers are being offered?
-        <-H|--header|--headers>     check for HSTS and server banner string
-
-URI is  host|host:port|URL|URL:port
-        (port 443 is assumed unless otherwise specified)
-
-        <-t|--starttls> host:port <ftp|smtp|pop3|imap|xmpp|telnet> *)  <SNI hostname>
-
-*) for STARTTLS telnet support you need a patched openssl version (to be provided soon)
-
-userid@somehost:~ %
- -Normal use case is probably just "testssl.sh <hostname>", see first picture above. "testssl.sh -E <hostname>" was used in the -second picture above. A STARTTLS check (see last picture) would be achieved with e.g. -
-testssl.sh --starttls <smtphostname>.<tld>:587 smtp
-testssl.sh -t <jabberhostname>.<tld>:5222 xmpp
-testssl.sh --starttls <pophostname>.<tld>:110  pop3
-
-As the help says: Currently only one option at a time works. -
-A maybe neat feature: If you want to find out what local ciphers you have and -print them pretty, use "testssl.sh -V". Ever wondered what hexcode a cipher is? -"testssl.sh -V 9f" lets you search for the hexcode 9f. If you have the file -"mapping-rfc.txt" in the same directory "testssl.sh -V" displays the matching RFC style cipher -suite name. Also during every cipher suite test the corresponding RFC style name is -displayed. It's a broad output. If you don't want this, you need to move mapping-rfc.txt -away -- for now. -

Got it so far? Good.
- -STARTTLS check with Ubuntu's 12.04 OpenSSL, no recompiled OpenSSL -
-
-Hint regarding OpenSSL binary - -

-As mentioned above, a prerequisite for thoroughly checking SSL/TLS enabled servers is: all you want to check for has to be -available on your client. Transport encryption is not only depending on the server but also on your crypto provider on the client side – -especially if you want to use it for testing. -So there are drawbacks out of the Linux distributions boxes -- so to speak: - -Thus the signed tarball provides specially compiled statically linked (except glibc and the loader) -OpenSSL binaries as a courtesy. If you don't want this, you'll get a warning in magenta, see picture on the right hand side. -You'll need to unpack the binaries, dump the one you need either in the same location as testssl.sh, named just "openssl" or "openssl.`uname -m`". -You can also tell testssl.sh via environment variable where your openssl binary is: -
export OPENSSL=<path_to_myopenssl>
before you use testssl. Or issue
OPENSSL=<path_to_myopenssl> testssl.sh <hostname>
- -Don't try outdated OpenSSL versions before 1.0! Those versions are deprecated, you likely will not get very far. testssl.sh is not locking -those out but things might not work as expected. Support will be retired soon. - - -

-Misc - -

-Feedback, bugs and contributions are appreciated, see contact in testssl.sh (dirk aet testssl dot sh). -

- -I post all significant updates on Twitter (@drwetter). -  -
-
-
Imprint  
-
-
- - -