How to use the command 'testssl' (with examples)

How to use the command 'testssl' (with examples)

Testssl is a powerful command-line tool designed to test and analyze the configuration of SSL/TLS on a server. It provides detailed insights into the security protocols and ciphers supported by a server, identifies potential vulnerabilities, and verifies HTTP security headers. By using this tool, server administrators can ensure that their systems are compliant with security standards and protected against various attack vectors.

Use case 1: Test a server (run every check) on port 443

Code:

testssl example.com

Motivation: Running every check available using testssl on a standard port (443, for HTTPS traffic) provides a comprehensive security assessment. This full scan is crucial for understanding the security posture of any public-facing server and ensuring there are no weak points in the SSL/TLS configuration.

Explanation:

  • testssl: This is the command to execute the testssl script.
  • example.com: This specifies the domain name of the server you wish to check. By omitting a port number after the domain, it defaults to port 443, which is the standard HTTPS port.

Example Output:

Start 2023-10-10 18:45:56 
Testing example.com (61.9.234.16) using SNI name: example.com on port 443
...       
 Testing protocols via sockets except NPN+ALPN                                                                                                               
 SSLv2      not offered (OK)                                                                                                                               
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)                                                                                                                            
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK)
...

Use case 2: Test a different port

Code:

testssl example.com:465

Motivation: Testing a server on a non-standard port is essential. Ports like 465 are often used for protocols like SMTP over SSL. It’s important to ensure that these alternative ports are also securely configured.

Explanation:

  • testssl: The command to initiate the testssl script.
  • example.com:465: Indicates the server domain and the specific port number (465) to test, which is known for SMTP over SSL.

Example Output:

Start 2023-10-10 18:50:21 
Testing example.com (61.9.234.16) using SNI name: example.com on port 465
...       
 Testing protocols via sockets except NPN+ALPN                                                                                                               
 SSLv2      not offered (OK)                                                                                                                               
 SSLv3      not offered (OK)
 TLS 1      not offered (deprecated)
 TLS 1.1    offered (deprecated)
...

Use case 3: Only check available protocols

Code:

testssl --protocols example.com

Motivation: Checking only the available protocols helps in verifying that the server is not supporting outdated or vulnerable protocols that can be exploited by attackers.

Explanation:

  • testssl: Begins the testssl script execution.
  • --protocols: Limits the check to only list available SSL/TLS protocols supported by the server.
  • example.com: The domain whose protocol support we are testing.

Example Output:

Test protocols for example.com (61.9.234.16):
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK)

Use case 4: Only check vulnerabilities

Code:

testssl --vulnerable example.com

Motivation: To ensure a server is fortified against known vulnerabilities, administrators might choose to scan specifically for weaknesses. This keeps the server resilient against known attacks such as Heartbleed, POODLE, and DROWN.

Explanation:

  • testssl: The command initiating the script.
  • --vulnerable: Option that instructs testssl to specifically check for known vulnerabilities.
  • example.com: Domain of the server being assessed for vulnerabilities.

Example Output:

 Vulnerabilities
 Heartbleed (CVE-2014-0160)                not vulnerable (OK)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
...

Use case 5: Only check HTTP security headers

Code:

testssl --headers example.com

Motivation: HTTP security headers are vital for protecting web applications against various attacks, including XSS, clickjacking, and data injection. Ensuring these headers are properly configured is a best practice in web security.

Explanation:

  • testssl: To start running the testssl script.
  • --headers: Option restricting the checks to HTTP security headers only.
  • example.com: Represents the domain name of the server whose HTTP security headers you are verifying.

Example Output:

HTTP security headers:
Strict-Transport-Security   max-age=63072000; includeSubdomains; preload 
Content-Security-Policy     default-src 'none'; script-src 'self'
X-Content-Type-Options      nosniff 
X-Frame-Options             SAMEORIGIN
X-XSS-Protection            1; mode=block

Use case 6: Test other STARTTLS enabled protocols

Code:

testssl --starttls smtp example.com:587

Motivation: For servers that use STARTTLS to upgrade a plaintext connection to a secure one, it is critical to ensure these protocols are securely configured. This test helps verify such configurations, particularly important for email services.

Explanation:

  • testssl: Begins the execution of the testssl script.
  • --starttls smtp: Specifies that the STARTTLS capability for the SMTP protocol should be checked.
  • example.com:587: The domain and port checked, with 587 typically used for SMTP with STARTTLS.

Example Output:

 StartTLS for smtp commenced
...
 Testing protocols via STARTTLS on smtp                                                                                                               
 SSLv2      not offered (OK)                                                                                                                               
 SSLv3      not offered (OK)
 TLS 1      not offered (deprecated)
 TLS 1.1    offered (deprecated)
 TCP support                          found (OK)
...

Conclusion:

Testssl provides a comprehensive suite of tests designed to evaluate the security configuration of SSL/TLS across various domains and ports. By understanding and utilizing these specific use cases, server administrators can diagnose and fortify their server setups, ensuring protection from vulnerabilities and compliance with best security practices. Whether testing a standard configuration or focusing on specific components such as protocols or vulnerabilities, testssl proves to be an indispensable tool in the realm of cybersecurity.

Related Posts

Exploring the Applications of Microcom (with examples)

Exploring the Applications of Microcom (with examples)

Microcom is a lightweight terminal program that enables users to connect to remote devices through serial, CAN, or telnet connections directly from the console.

Read More
How to use the command `wf-recorder` (with examples)

How to use the command `wf-recorder` (with examples)

wf-recorder is a tool specifically designed for the Wayland display server protocol, allowing users to record their screen activities seamlessly.

Read More
How to use the command 'orca-c' (with examples)

How to use the command 'orca-c' (with examples)

Orca-c is a C-port of the ORCA live programming environment, a unique esoteric programming language known for creating procedural sequencers.

Read More