testssl.sh — TLS/SSL Server Testing from the Command Line

Introduction

testssl.sh is a free command-line tool that tests a TLS/SSL server for supported protocols, ciphers, known vulnerabilities, and certificate chain issues. It runs as a single Bash script with no dependencies beyond OpenSSL or LibreSSL, making it ideal for security audits and CI pipelines.

What testssl.sh Does

• Enumerates supported TLS/SSL protocols from SSLv2 through TLS 1.3
• Tests all cipher suites and rates them by strength and forward secrecy
• Checks for known vulnerabilities: Heartbleed, POODLE, ROBOT, DROWN, BEAST, CRIME, and more
• Validates the certificate chain including expiry, SANs, OCSP stapling, and CT logs
• Reports HTTP security headers like HSTS, HPKP, and CSP

Architecture Overview

testssl.sh is a monolithic Bash script that opens raw TCP connections using OpenSSL s_client and custom socket-level probes. It sends handshake packets with specific protocol versions and cipher lists, parses server responses byte by byte, and evaluates results against an internal knowledge base of vulnerabilities and best practices. No daemon, no compile step, no runtime other than Bash and a basic OpenSSL binary.

Self-Hosting & Configuration

• Clone the repo or run the Docker image; no installation step required
• Use --file to batch-test multiple hosts from a list
• Export results with --jsonfile, --csvfile, or --htmlfile for integration
• Run --fast to skip less critical checks and reduce scan time
• Use --starttls for testing mail servers, FTP, LDAP, and other non-HTTPS protocols

Key Features

• Zero dependencies: works on any system with Bash and OpenSSL
• Comprehensive vulnerability checks updated with each release
• Parallel scanning mode for testing multiple hosts concurrently
• Machine-readable JSON and CSV output for automation
• Docker image available for ephemeral, reproducible scans

Comparison with Similar Tools

• SSL Labs (Qualys) — web-based scanner; testssl.sh runs locally and works on internal servers
• Nmap ssl-enum-ciphers — Nmap script with basic cipher checks; testssl.sh is far more thorough
• sslyze — Python-based TLS scanner; testssl.sh has no Python dependency
• TLS-Scanner (TU Darmstadt) — Java-based research tool; testssl.sh is lighter and more portable
• CipherScan (Mozilla) — focused on cipher enumeration; testssl.sh also tests vulnerabilities and headers

FAQ

Q: Can I test internal servers not reachable from the internet? A: Yes. testssl.sh runs locally, so it can reach any server your machine can connect to, including internal and air-gapped networks.

Q: How long does a full scan take? A: A comprehensive scan typically takes 2-5 minutes per host. Use --fast to reduce it to about one minute.

Q: Does it test STARTTLS services like SMTP? A: Yes. Use --starttls smtp (or imap, ftp, ldap, etc.) to test services that upgrade plaintext connections to TLS.

Q: Is the output machine-parseable? A: Yes. Use --jsonfile or --csvfile for structured output suitable for dashboards and alerting.

Sources

• https://github.com/drwetter/testssl.sh
• https://testssl.sh/