testssl.sh

mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00

Testing TLS/SSL encryption anywhere on any port. https://testssl.sh/

bigip caa cipher crime ct drown freak heartbleed hpkp hsts logjam ocsp openssl poodle rc4 robot socket ssl ticketbleed tls

Go to file

Dirk 8d65c67d50 - cleanup bin mess ;-), part 1		2015-09-03 12:39:03 +02:00
bin	- cleanup bin mess ;-), part 1	2015-09-03 12:39:03 +02:00
openssl-bins/openssl-1.0.2-chacha.pm	- cleanup bin mess ;-), part 1	2015-09-03 12:39:03 +02:00
utils	- cleanup bin mess ;-), part 1	2015-09-03 12:39:03 +02:00
CREDITS.md	update	2015-09-03 12:19:53 +02:00
LICENSE	Initial commit	2014-07-01 13:55:26 +02:00
mapping-rfc.txt	- stripping of leading 0 in testssl.sh needed to be reflected by this file	2014-11-18 11:04:57 +01:00
old.CHANGELOG.txt	Update old.CHANGELOG.txt	2015-07-30 09:29:42 +02:00
openssl-rfc.mappping.html	yet another GOST fine tuning thing	2015-07-20 20:49:31 +02:00
Readme.md	Update Readme.md	2015-08-28 15:09:53 +02:00
testssl.sh	typo, fix from Stefan Stidl (thx!)	2015-09-03 12:17:32 +02:00

Readme.md

Intro

testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output for your "is this good or bad" decision.

It is working on every Linux distribution out of the box with some limitations of disabled features from the openssl client -- some workarounds are done with bash-socket-based checks. It also works on BSD and other Unices out of the box, supposed they have /bin/bash and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2) work too. OpenSSL version >= 1 is highly recommended. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to display bit strengths for key exchanges.

On github you will find in the master branch the development version of the software -- with new features and maybe some bugs. For the stable version and a more thorough description of the software please see testssl.sh.

New features in the soon upcoming stable release 2.6 are:

display matching key (HPKP)
LOGJAM 1: check DHE_EXPORT cipher
LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
"wide mode" option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
OS X binaries (@jvehent, new builds: @jpluimers)
ARM binaries (@f-s))
FreeBSD binary
TLS_FALLBACK_SCSV check -- Thx @JonnyHightower
(HTTP) proxy support! -- Thx @jnewbigin
Extended validation certificate detection
Run in default mode through all ciphers at the end of a default run
will test multiple IP adresses in one shot, --ip=<adress|"one"> restricts it accordingly
new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696
TLS time and HTTP time stamps
TLS time displayed also for STARTTLS protocols
support of sockets for STARTTLS protocols (with exception of SSLv2 you need to supply EXPERIMENTAL=yes)
TLS 1.0-1.1 as socket checks per default in production
further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
lots of fixes, code improvements, even more robust

Currently we're running 2.6rc3. Latest bugs are being squashed, expect a soon release.

Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.

Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .

Update notification here or @ twitter.