Vulnerability Analysistlssslciphersprotocolsvulnerabilitiesstarttlscryptography

testssl.sh

Command line tool to check TLS/SSL ciphers, protocols and cryptographic flaws on servers. Checks support for TLS/SSL ciphers, protocols, recent cryptographic flaws and more.

Description

testssl.sh is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Key features include clear output to easily identify good or bad results, ease of installation across multiple platforms without additional dependencies, flexibility to test any SSL/TLS enabled or STARTTLS service, and a reliable toolbox of command line options.

It supports testing web servers on port 443 as well as other services via STARTTLS protocols like FTP, SMTP, IMAP, XMPP and more. The tool provides thorough testing of protocols, ciphers, forward secrecy, vulnerabilities like Heartbleed, CCS injection, and others, with options for customized output formats including JSON, CSV, and logging. Privacy-focused as results are only visible to the user, and fully open source for inspection and modification.

Ideal for security assessments of SSL/TLS configurations across diverse services, ensuring compliance with modern cryptographic standards and identifying implementation flaws.

How It Works

testssl.sh connects to target servers via OpenSSL to test supported TLS/SSL protocols, cipher suites, and vulnerabilities. It performs individual cipher checks, protocol negotiations including ALPN/HTTP2/SPDY, forward secrecy evaluation, and specific vulnerability tests like Heartbleed, CCS injection, Ticketbleed, ROBOT, and renegotiation issues. Supports STARTTLS upgrades for non-443 services and MX record testing. Uses local OpenSSL capabilities with warnings for missing client-side features, configurable via environment variables and proxy support.

Installation

bash

sudo apt install testssl.sh

Flags

--helpDisplays help information

-b, --bannerDisplays banner + version of testssl

-v, --versionDisplays version information

-V, --local [pattern]Pretty print all local ciphers (of openssl only). If search pattern supplied: ignore case word pattern of cipher hexcode or any other string in its name, kx or bits

-t, --starttls <protocol>Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, nntp, sieve, postgres, mysql

--xmpphost <to_domain>For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI)

--mx <domain/host>Tests MX records from high to low priority (STARTTLS, port 25)

--file/-iL <fname>Mass testing option: Reads one testssl.sh command line per line from <fname>. Can be combined with --serial or --parallel

-e, --each-cipherChecks each local cipher remotely

-E, --cipher-per-protoChecks those per protocol

-s, --std, --categoriesTests standard cipher categories by strength

-f, --fs, --forward-secrecyChecks forward secrecy settings

-p, --protocolsChecks TLS/SSL protocols (including ALPN/HTTP2 and SPDY)

-g, --greaseTests several server implementation bugs like GREASE and size limitations

-S, --server-defaultsDisplays the server's default picks and certificate info

-P, --server-preferenceDisplays the server's picks: protocol+cipher

-U, --vulnerableTests all vulnerabilities (if applicable)

-H, --heartbleedTests for Heartbleed vulnerability

-I, --ccs, --ccs-injectionTests for CCS injection vulnerability

-T, --ticketbleedTests for Ticketbleed vulnerability in BigIP loadbalancers

--BB, --robotTests for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability

--SI, --starttls-injectionTests for STARTTLS injection issues

-R, --renegotiationTests for renegotiation vulnerabilities

-C, --compression, --crimeTests for CRIME vulnerability (TLS compression issue)

-9, --fullIncludes tests for implementation bugs and cipher per protocol

--jsonAdditional output of findings to flat JSON file

--csvAdditional output of findings to CSV file

--log, --loggingLogs stdout to timestamped log file in current working directory

Examples

Full test of URI (host|host:port|URL|URL:port), port 443 default, URL must be HTTPS

testssl [options] <URI>

Displays complete help information

testssl --help

Displays banner and version

testssl -b

Pretty prints all local OpenSSL ciphers

testssl -V

Tests SMTP STARTTLS service

testssl -t smtp <host>

Tests MX records for STARTTLS support

testssl --mx example.com

Mass testing from file with one command per line

testssl --file targets.txt

Tests each cipher and protocols for target

testssl -e -p example.com

Updated 2025-Dec-09kali.org ↗