man testssl (1): Command line tool to check TLS/SSL ciphers, protocols and cryptographic flaws

DESCRIPTION

testssl is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

Key features:

* Clear output: you can tell easily whether anything is good or bad

* Ease of installation: It works for Linux, Darwin, FreeBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like.

* Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443

* Toolbox: Several command line options help you to run YOUR test and configure YOUR output

* Reliability: features are tested thoroughly

* Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you'll get a warning

* Privacy: It's only you who sees the result, not a third party

* Freedom: It's 100% open source. You can look at the code, see what's going on and you can change it. Heck, even the development is open (github)

-h, --help: what you're looking at
-b, --banner: displays banner + version of testssl
-v, --version: same as previous
-V, --local: pretty print all local ciphers
-V, --local <pattern>: which local ciphers with <pattern> are available? (if pattern not a number: word match)

testssl <options> URI ("testssl URI" does everything except -E)

-e, --each-cipher: checks each local cipher remotely
-E, --cipher-per-proto: checks those per protocol
-f, --ciphers: checks common cipher suites
-p, --protocols: checks TLS/SSL protocols
-S, --server_defaults: displays the servers default picks and certificate info
-P, --preference: displays the servers picks: protocol+cipher
-y, --spdy, --npn: checks for SPDY/NPN
-x, --single-cipher <pattern> tests matched <pattern> of ciphers: (if <pattern> not a number: word match)
-U, --vulnerable: tests all vulnerabilities
-B, --heartbleed: tests for heartbleed vulnerability
-I, --ccs, --ccs-injection: tests for CCS injection vulnerability
-R, --renegotiation: tests for renegotiation vulnerabilities
-C, --compression, --crime: tests for CRIME vulnerability
-T, --breach: tests for BREACH vulnerability
-O, --poodle: tests for POODLE (SSL) vulnerability
-Z, --tls-fallback: checks TLS_FALLBACK_SCSV mitigation
-F, --freak: tests for FREAK vulnerability
-A, --beast: tests for BEAST vulnerability
-J, --logjam: tests for LOGJAM vulnerability
-s, --pfs, --fs,--nsa: checks (perfect) forward secrecy settings
-4, --rc4, --appelbaum: which RC4 ciphers are being offered?
-H, --header, --headers: tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address
: special invocations:
-t, --starttls <protocol>: does a default run against a STARTTLS enabled <protocol>
--xmpphost <to_domain>: for STARTTLS enabled XMPP it supplies the XML stream to-'' domain -- sometimes needed
--mx <domain/host>: tests MX records from high to low priority (STARTTLS, port 25)
--ip <ipv4>: a) tests the supplied <ipv4> instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
--file <file name>: mass testing option: Just put multiple testssl command lines in <file name>, one line per instance. Comments via # allowed, EOF signals end of <file name>.

partly mandatory parameters:

URI: host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified)
pattern: an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits
protocol: is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl)

tuning options:

--assuming-http: if protocol check fails it assumes HTTP protocol and enforces HTTP checks
--ssl-native: fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH>: use this openssl binary (default: look in $PATH, $RUN_DIR of testssl
--proxy <host>:<port>: connect via the specified HTTP proxy
--sneaky: be less verbose wrt referer headers
--quiet: don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
--wide: wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
--show-each: for wide outputs: display all ciphers tested -- not only succeeded ones
--warnings <batch|off|false>: "batch" doesn't wait for keypress, "off" or "false" skips connection warning
--color <0|1|2>: 0: no escape or other codes, 1: b/w escape codes, 2: color (default)
--debug <0-6>: 1: screen output normal but debug output in temp files. 2-6: see line ~105

All options requiring a value can also be called with '=' (e.g. testssl -t=,smtp/ --wide --openssl=/usr/bin/openssl <URI>. <URI> is always the last parameter.

Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like

: "testssl <options> <URI> | aha >output.html"

AUTHOR

This manual page was written by ChangZhuo Chen <[email protected]> for the Debian GNU/Linux system (but may be used by others).

DESCRIPTION

AUTHOR

LAST SEARCHED