mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 12:59:44 +01:00
This commit is contained in:
parent
98b7e390f1
commit
7776ae2181
160
README.html
160
README.html
@ -1,160 +0,0 @@
|
||||
<br>
|
||||
<strong>testssl.sh</strong> is a <a href="LICENSE.txt" title="GPL v2">free</a> Unix command line tool which checks a server's service
|
||||
on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.
|
||||
It's designed to provide clear output for a "is this good or bad" decision.
|
||||
|
||||
<br><br>
|
||||
<a href="testssl-standard.png"><img src="testssl-standard.50p.png" title="Standard call: testssl.sh <hostname>"
|
||||
onmouseover="this.src='testssl-standard.png'" onmouseout="this.src='testssl-standard.50p.png';"
|
||||
style="box-shadow: 0 5px 5px 5px #AAAAAA; border: 0px solid; margin-left:25px; margin-right:15px; margin-bottom:10px; float:right" alt="Standard call: testssl.sh <hostname>"></a>
|
||||
It is working on every Linux distribution which has OpenSSL installed. As for security reasons some distributors
|
||||
outphase the buggy stuff – and this is exactly you want to check for – it's recommended to compile OpenSSL by
|
||||
yourself or check out the OpenSSL binaries below (Linux). You will get a warning though if your OpenSSL client
|
||||
cannot perform a specific check, see below.
|
||||
|
||||
<br>
|
||||
<br>
|
||||
testssl.sh is portable, it is supposed to work on
|
||||
any other Unix system (preferably with GNU tools) and on cygwin, supposed it can find the OpenSSL binary.
|
||||
|
||||
<br><br>
|
||||
<strong>New features</strong>
|
||||
<ul>
|
||||
<li>2.0: Features: <ul>
|
||||
<li>SNI</li>
|
||||
<li>STARTTLS</li>
|
||||
<li>server preferences for protocols and ciphers</li>
|
||||
<li>checks for: RC4, PFS, SPDY</li>
|
||||
<li>web and app server banner, HSTS</li>
|
||||
<li>server key size</li>
|
||||
<li>TLS session tickets</li>
|
||||
<li>TLS server extensions</li>
|
||||
<li>heartbleed check from <a href="https://testssl.sh/bash-heartbleed.sh">bash-heartbleed.sh</a> with shell only SSL handshake!</li>
|
||||
<li>CCS check from <a href="https://testssl.sh/ccs-injection.sh">ccs-injection.sh</a> with shell only SSL handshake!</li>
|
||||
<li>somewhat smart check for BREACH vulnerability</li>
|
||||
<li>prelease of cipher suites name space mapping OpenSSL <--> RFC</li>
|
||||
<li>aaand: neat output</li>
|
||||
</ul
|
||||
</li>
|
||||
<li>1.40: cleanups, path of URL supplied on the command line (is ignored for now) </li>
|
||||
<li>1.30: can test now for cipher suites / protocols only, tests for tls v1.1/v1.2 , -a/--all renamed </li>
|
||||
<li>1.21: CRIME support, see http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512.</li>
|
||||
<li>1.18: Rearragement of arguments: URI comes now always last. NOPARANOID flag tells whether medium grade ciphers are ok. </li>
|
||||
<li>1.17: tests now for renegotiation vulnerabity, see (<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555" target="_blank" title="opens in new tab/window">CVE-2009-3555)</a></li>
|
||||
<li>1.16: Invoking options changed with this release. Port and hostname / URL will be accepted only as one argument. major code cleanups. Also
|
||||
checks now whether SSL is listening on the server side at all. <i>-a</i>/<i>--all</i> tests cipher by cipher now.</li>
|
||||
<li>[..]</li>
|
||||
<li>More see <a href="CHANGELOG.txt">CHANGELOG</a>.</li>
|
||||
</ul>
|
||||
|
||||
<p style="clear:left"></p>
|
||||
<br><br>
|
||||
|
||||
<strong>Calling</strong>
|
||||
|
||||
<br><br>
|
||||
Starting testssl.sh with no params will give you a clue how to use it:
|
||||
|
||||
<a href="testssl-E.png"><img src="testssl-E.33p.png" title="check each ciphers per protocol" onmouseover="this.src='testssl-E.png'" onmouseout="this.src='testssl-E.33p.png';"
|
||||
style="box-shadow: 0 5px 5px 5px #AAAAAA; border: 0px solid; margin-left:10px; margin-bottom:10px; margin-right:25px; float:right" alt="check each ciphers per protocol"></a>
|
||||
<pre>userid@<strong>somehost</strong>:~ % testssl.sh
|
||||
|
||||
testssl.sh <options> URI
|
||||
|
||||
where <options> is <strong>one</strong> of
|
||||
|
||||
<-h|--help> what you're looking at
|
||||
<-b|--banner> displays banner + version
|
||||
<-v|--version> same as above
|
||||
<-V|--local> pretty print all local ciphers
|
||||
<-V|--local> <hexcode> what cipher is <pattern hexcode>?
|
||||
|
||||
<-e|--each-cipher> check each local ciphers remotely
|
||||
<-E|-ee|--cipher-per-proto> check those per protocol
|
||||
<-f|--ciphers> check cipher suites
|
||||
<-p|--protocols> check TLS/SSL protocols only
|
||||
<-P|--preference> displays the servers picks: protocol+cipher
|
||||
<-y|--spdy> checks for SPDY/NPN
|
||||
<-B|--heartbleed> tests only for heartbleed vulnerability
|
||||
<-I|--ccs|--ccs_injection> tests only for CCS injection vulnerability
|
||||
<-R|--renegotiation> tests only for renegotiation vulnerability
|
||||
<-C|--crime> tests only for CRIME vulnerability
|
||||
<-T|--breach> tests only for BREACH vulnerability
|
||||
<-s|--pfs|--fs|--nsa> checks (perfect) forward secrecy settings
|
||||
<-4|--rc4|--appelbaum> which RC4 ciphers are being offered?
|
||||
<-H|--header|--headers> check for HSTS and server banner string
|
||||
|
||||
URI is host|host:port|URL|URL:port
|
||||
(port 443 is assumed unless otherwise specified)
|
||||
|
||||
<-t|--starttls> host:port <ftp|smtp|pop3|imap|xmpp|telnet> *) <SNI hostname>
|
||||
|
||||
*) for STARTTLS telnet support you need a patched openssl version (to be provided soon)
|
||||
|
||||
userid@<strong>somehost</strong>:~ %</pre>
|
||||
|
||||
Normal use case is probably just "testssl.sh <hostname>", see first picture above. "testssl.sh -E <hostname>" was used in the
|
||||
second picture above. A STARTTLS check (see last picture) would be achieved with e.g.
|
||||
<pre>
|
||||
testssl.sh --starttls <smtphostname>.<tld>:587 smtp
|
||||
testssl.sh -t <jabberhostname>.<tld>:5222 xmpp
|
||||
testssl.sh --starttls <pophostname>.<tld>:110 pop3
|
||||
</pre>
|
||||
As the help says: Currently only one option at a time works.
|
||||
<br>
|
||||
A maybe neat feature: If you want to find out what local ciphers you have and
|
||||
print them pretty, use "testssl.sh -V". Ever wondered what hexcode a cipher is?
|
||||
"testssl.sh -V 9f" lets you search for the hexcode 9f. If you have the file
|
||||
"mapping-rfc.txt" in the same directory "testssl.sh -V" <a
|
||||
href="https://twitter.com/drwetter/status/456126567547039744/photo/1"
|
||||
title="picture" target="_blank">displays</a> the matching RFC style cipher
|
||||
suite name. Also during every cipher suite test the corresponding RFC style name is
|
||||
displayed. It's a broad output. If you don't want this, you need to move mapping-rfc.txt
|
||||
away -- for now.
|
||||
<br><br> Got it so far? Good. <br>
|
||||
|
||||
<a href="testssl-starttls-localssl.png"><img src="testssl-starttls-localssl.25p.png" title="STARTTLS check with Ubuntu's 12.04 OpenSSL"
|
||||
onmouseover="this.src='testssl-starttls-localssl.png'" onmouseout="this.src='testssl-starttls-localssl.25p.png'"
|
||||
style="box-shadow: 0 5px 5px 5px #AAAAAA; border: 0px solid; margin-left:10px; margin-bottom:10px; margin-right:35px; margin-top:15px; float:left" alt="STARTTLS check with Ubuntu's 12.04 OpenSSL, no recompiled OpenSSL"></a>
|
||||
<br>
|
||||
<br>
|
||||
<strong>Hint regarding OpenSSL binary</strong>
|
||||
|
||||
<br><br>
|
||||
As mentioned above, a prerequisite for thoroughly checking SSL/TLS enabled servers is: all you want to check for has to be
|
||||
available on your client. Transport encryption is not only depending on the server but also on your crypto provider on the client side –
|
||||
especially if you want to use it for testing.
|
||||
So there are drawbacks out of the Linux distributions boxes -- so to speak:
|
||||
<ul>
|
||||
<li> one cannot check 56 Bit ciphers as they are disabled during compile time. </li>
|
||||
<li> some ciphers are disabled for security reasons, </li>
|
||||
<li> support maybe not included (to disable CRIME)</li>
|
||||
<li> and last but not least: SSLv2 seems to be outphased too, <a href="https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/955675" title="Ubuntu's Lauchpad: not even the manpage is updated since 2 years" target="_blank">Ubuntu</a> started this.</li>
|
||||
</ul>
|
||||
Thus the <a href="openssl-1.0.2-beta1.linux64_32bit.tar.gz.asc" title="GPG signed">signed</a> tarball provides specially compiled statically linked (except glibc and the loader)
|
||||
<a href="openssl-1.0.2-beta1.linux64_32bit.tar.gz">OpenSSL binaries</a> as a courtesy. If you don't want this, you'll get a warning in magenta, see picture on the right hand side.
|
||||
You'll need to unpack the binaries, dump the one you need either in the same location as testssl.sh, named just "openssl" or "openssl.`uname -m`".
|
||||
You can also tell testssl.sh via environment variable where your openssl binary is:
|
||||
<pre>export OPENSSL=<path_to_myopenssl></pre> before you use testssl. Or issue <pre>OPENSSL=<path_to_myopenssl> testssl.sh <hostname></pre>
|
||||
|
||||
Don't try outdated OpenSSL versions before 1.0! Those versions are deprecated, you likely will not get very far. testssl.sh is not locking
|
||||
those out but things might not work as expected. Support will be retired soon.
|
||||
|
||||
|
||||
<br><br>
|
||||
<strong>Misc</strong>
|
||||
|
||||
<br><br>
|
||||
Feedback, bugs and contributions are appreciated, see contact in <a href="testssl.sh" type="text/plain">testssl.sh</a> (<i>dirk aet testssl dot sh</i>).
|
||||
<br><br>
|
||||
|
||||
I post all significant updates on Twitter (<a href="http://twitter.com/drwetter" title="@drwetter" target="_blank">@drwetter</a>).
|
||||
|
||||
<br>
|
||||
<br>
|
||||
<div style="color: #999999; font-size: 11px; text-align: right;"><a href="http://drwetter.eu/neu/impressum.shtml">Imprint</a> </div>
|
||||
<hr>
|
||||
<br>
|
||||
<!-- $Id: README.html,v 1.35 2014/06/15 20:07:18 dirkw Exp $ -->
|
||||
</html>
|
||||
</body>
|
Loading…
Reference in New Issue
Block a user