Releases: testssl/testssl.sh
Version 2.9.5-5
This update contains a bugfix (and a clarification in help/documentation) only. It does not contain any new features.
The bug fix is for Mac OS X only. The was an error where MacOS X' date hiccuped when a timezone conversion was requested but not supplied.
For a description of testssl.sh in general please see 2.9.5-1.
Please note this release still carries -4
as a minor version. Due to an "user error" v2.9.5-4 (deleted) was pointing to 2.9dev instead of 2.9.5.
Version 2.9.5-3
This update contains several bugfixes as opposed to 2.9.5-2. It does not contain any new features.
More details about all fixes please see https://github.com/drwetter/testssl.sh/commits/2.9.5/testssl.sh (March 24, 2018 to February 19, 2018).
For a description of testssl.sh in general please see 2.9.5-1.
Version 2.9.5-2
This update contains several bugfixes as opposed to 2.9.5-1. It does not contain new features.
More details about all fixes please see https://github.com/drwetter/testssl.sh/commits/2.9.5/testssl.sh (Feb 19, 2018 to Sep 20, 2017). For a description of testssl.sh in general please see 2.9.5-1.
Version 2.9.5-1
testssl.sh
is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.
Key features
- Clear output: you can tell easily whether anything is good or bad
- Ease of installation: It works for Linux, Darwin, FreeBSD, NetBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.
- Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443
- Toolbox: Several command line options help you to run YOUR test and configure YOUR output
- Reliability: features are tested thoroughly
- Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you'll get a warning
- Privacy: It's only you who sees the result, not a third party
- Freedom: It's 100% open source. You can look at the code, see what's going on and you can change it.
- Heck, even the development is open (github)
Compatibility
testssl.sh is working on every Linux/BSD distribution out of the box. In 2.9.5 most of the limitations of disabled features from the openssl client are gone due to bash-socket-based checks. testssl.sh also works on other unixoid system out of the box, supposed they have /bin/bash
and standard tools like sed and awk installed. System V needs to have GNU versions of grep installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL version >= 1.0.2 is recommended, you will get further with earlier openssl versions in
this interim release though as most of the checks in 2.9 are done via sockets.
Status
2.9.5 is an interim release snapshot from the current 2.9dev version. It has reached a point which is considered to be mature enough for day-to-day usage before taking the next step in the development of this project.
2.9.5 has less bugs and has evolved considerably since 2.8.
Features implemented in 2.9.5
- TLS 1.2 protocol check via socket in production
- Way better coverage of ciphers as most checks are done via sockets, using bash sockets where ever possible
- Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)
- Testing 359 default ciphers (
testssl.sh -e/-E
) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. - Finding more TLS extensions via sockets
- TLS Supported Groups Registry (RFC 7919), key shares extension
- Non-flat JSON output support
- File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output)
- Native HTML support instead going through 'aha'
- LUCKY13 and SWEET32 checks
- Ticketbleed check
- LOGJAM: now checking also for known DH parameters
- Support of supplying timeout value for
openssl connect
-- useful for batch/mass scanning - Check for CAA RR
- Check for OCSP must staple
- Check for Certificate Transparency
- Check for session resumption (Ticket, ID)
- Better formatting of output (indentation)
- Choice showing the RFC naming scheme only
- Parallel mass testing
- File input for mass testing can be also in nmap grep(p)able (-oG) format
- Postgres und MySQL STARTTLS support
- Man page
Version 2.8
testssl.sh
is a free command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some
cryptographic flaws.
Key features
- Clear output: you can tell easily whether anything is good or bad
- Ease of installation: It works for Linux, Darwin, FreeBSD, NetBSD and
MSYS2/Cygwin out of the box: no need to install or configure something,
no gems, CPAN, pip or the like. - Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not
only webservers at port 443 - Toolbox: Several command line options help you to run YOUR test and
configure YOUR output - Reliability: features are tested thoroughly
- Verbosity: If a particular check cannot be performed because of a missing
capability on your client side, you'll get a warning - Privacy: It's only you who sees the result, not a third party
- Freedom: It's 100% open source. You can look at the code, see what's
going on and you can change it. - Heck, even the development is open (github)
Status
This is the stable version 2.8 of the software, it supersedes 2.6. 2.9dev is the new
development branch For a more thorough description of the command line options
please see testssl.sh or https://github.com/drwetter/testssl.sh/wiki/Usage-Documentation.
Compatibility
testssl.sh is working on every Linux/BSD distribution out of the box with
some limitations of disabled features from the openssl client -- some
workarounds are done with bash-socket-based checks. It also works on other
unixoid system out of the box, supposed they have /bin/bash
and standard
tools like sed and awk installed. MacOS X and Windows (using MSYS2 or
cygwin) work too. OpenSSL version >= 1 is a must. OpenSSL version >= 1.0.2
is needed for better LOGJAM checks and to display bit strengths for key
exchanges.
Features in 2.8 stable
- Trust chain check against certificate stores from Apple (OS), Linux (OS),
Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1 - IPv6 (status: 80% working, details see
#11 - works now on servers requiring a x509 certificate for authentication
- extensive CN+SAN <--> hostname check
- SSL Session ID check
- Avahi/mDNS based name resolution
- HTTP2/ALPN protocol check
- Logging to a file / dir
- Logging to (flat) JSON + CSV
- HPKP checks now also for Root, intermediate SPKIs
- Check for multiple server certificates
- Browser cipher simulation: what client will connect with which cipher + protocol
- GOST cipher+certificate improvements
- Assistance for color-blind users
- Even more compatibility improvements for FreeBSD, NetBSD, Gentoo, RH-ish, F5 and Cisco systems
- Considerable speed improvements for each cipher runs (-e/-E)
- More robust SSLv2 + TLS socket interface
- separate check for curves
- OpenSSL 1.1.0 compliant
- check for DROWN
- Whole number of bugs squashed
Contributions
Contributions, feedback, bug reports are welcome! For contributions please
note: One patch per feature -- bug fix/improvement. Please test your
changes thoroughly as reliability is important for this project.
There's coding guideline.
Please file bug reports @ https://github.com/drwetter/testssl.sh/issues.
Documentation
For a start see the
wiki.
Help is needed here.
Bug reports
Please file bugs in the issue tracker. Do not forget to provide detailed information, see https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. (Nobody can read your thoughts
-- yet. And only agencies your screen) ;-)
External/related projects
Please address questions not specifically to the code of testssl.sh to the
respective projects
Cool web frontend
mass scanner w parallel scans and elastic searching the results
Ready-to-go docker images are available at:
Brew package
Version 2.6
testssl.sh
is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws. It's designed to provide clear output in any case.
It is working on every Linux distribution out of the box with some limitations of disabled features from the openssl client -- some workarounds are done with bash-socket-based checks. It also works on BSD and other Unices out of the box, supposed they have /bin/bash
and standard tools like sed and awk installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL version >= 1 is a must. OpenSSL version >= 1.0.2 is needed for better LOGJAM checks and to display bit strengths for key exchanges.
On github you will find in the master branch the development version of the software -- with new features and maybe some bugs. For the stable version and a more thorough description of the software please see testssl.sh.
New features in the stable release 2.6 are:
- display matching host key (HPKP)
- LOGJAM 1: check DHE_EXPORT cipher
- LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
- "wide mode" option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
- binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
- OS X binaries (@jvehent, new builds: @jpluimers)
- ARM binary (@f-s)
- (HTTP) proxy support, via openssl and sockets! -- Thx @jnewbigin
- TLS_FALLBACK_SCSV check -- Thx @JonnyHightower
- Extended validation certificate detection
- Run in default mode through all ciphers at the end of a default run
- will test multiple IP adresses in one shot, --ip=<adress|"one"> restricts it accordingly
- new mass testing file option
--file
option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696 - TLS time and HTTP time stamps
- TLS time displayed also for STARTTLS protocols
- support of sockets for STARTTLS protocols
- TLS 1.0-1.1 as socket checks per default in production
- further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
- can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
- quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
- lots of fixes, code improvements, even more robust
Contributions, feedback, also bug reports are welcome! For contributions please note: One patch per feature -- bug fix/improvement. Please test your changes thouroughly as reliability is important for this project.
Please file bug reports @ https://github.com/drwetter/testssl.sh/issues .
Update notification here or @ twitter.