How to use the command testssl (with examples)
The command testssl is used to check the SSL/TLS protocols and ciphers supported by a server. It provides detailed information about the security configuration of a server and helps identify any vulnerabilities that may exist. By running testssl on a server, you can ensure that it is properly configured and secure for handling sensitive data.
Use case 1: Test a server (run every check) on port 443
Code:
testssl example.com
Motivation: This use case is helpful when you want to perform a comprehensive security assessment of a server. By running testssl with the domain name or IP address, followed by the port number (default is 443), it will conduct a thorough test on the server’s SSL/TLS protocols, ciphers, vulnerabilities, and more.
Explanation:
The command testssl example.com executes the testssl script, specifying the domain name or IP address of the server to be tested. If the server is listening on a different port, you can specify it using the : separator after the domain name (e.g., example.com:465).
Example output:
<< Output of the testssl command will be displayed here >>
Use case 2: Test a different port
Code:
testssl example.com:465
Motivation: In certain cases, servers may not be listening on the default HTTPS port (443). This use case allows you to specify a different port when running the testssl command. By using this option, you can test the SSL/TLS configuration of servers that are running on non-standard ports.
Explanation:
The testssl example.com:465 command checks the server specified by example.com but uses port 465 instead of the default 443 port. Replace 465 with the desired port number.
Example output:
<< Output of the testssl command will be displayed here >>
Use case 3: Only check available protocols
Code:
testssl --protocols example.com
Motivation: In some scenarios, you may only be interested in checking the SSL/TLS protocols supported by a server. This use case allows you to focus solely on the protocols and exclude other unnecessary information from the test result.
Explanation:
The testssl --protocols example.com command runs testssl on the specified server and displays information only about the supported SSL/TLS protocols. This excludes other checks, such as ciphers, vulnerabilities, and HTTP security headers.
Example output:
<< Output of the testssl command will be displayed here >>
Use case 4: Only check vulnerabilities
Code:
testssl --vulnerable example.com
Motivation:
If you want to quickly identify potential vulnerabilities in the SSL/TLS configuration of a server, this use case is suitable. By running the testssl command with the --vulnerable option, you can obtain an overview of any security weaknesses that may exist.
Explanation:
The testssl --vulnerable example.com command performs a vulnerability assessment on the specified server and reports any vulnerabilities found. This test includes checks for issues such as weak ciphers, insecure protocols, certificate validation, and more.
Example output:
<< Output of the testssl command will be displayed here >>
Use case 5: Only check HTTP security headers
Code:
testssl --headers example.com
Motivation: Checking HTTP security headers is crucial for maintaining a secure web server configuration. This use case allows you to focus exclusively on verifying the presence and correctness of these headers.
Explanation:
The testssl --headers example.com command inspects the specified server’s HTTP security headers. It primarily checks for the presence and correctness of headers like HSTS, CSP, X-Frame-Options, and Content-Security-Policy.
Example output:
<< Output of the testssl command will be displayed here >>
Conclusion:
The testssl command is a versatile tool for assessing the SSL/TLS security configuration of a server. With various options, you can conduct comprehensive tests or focus on specific aspects such as protocols, vulnerabilities, or HTTP security headers. Regular testing using testssl helps ensure that your servers are properly configured and secure.
