testssl.sh Commands
Free command-line tool for checking TLS/SSL ciphers, protocols, and cryptographic flaws on any server port
Basic Usage
Test a single host
testssl.sh example.comRun all default checks against port 443. Tests protocols, ciphers, vulnerabilities, and certificate details.
Test a specific port
testssl.sh example.com:8443Test a non-standard HTTPS port. Append the port number after a colon.
Test an IP address
testssl.sh 192.168.1.1:443Test by IP address. When testing IP addresses, always specify the port.
Quiet mode (less output)
testssl.sh --quiet example.comSuppress banner and other non-essential output. Useful in scripted environments.
Save results as JSON
testssl.sh --jsonfile results.json example.comWrite findings to a JSON file. Ideal for parsing results programmatically or feeding into CI/CD pipelines.
Save results as CSV
testssl.sh --csvfile results.csv example.comWrite findings to a CSV file. Useful for importing into spreadsheets or databases.
Save results as HTML
testssl.sh --htmlfile results.html example.comGenerate an HTML report with color-coded findings. Useful for sharing with stakeholders.
Combine multiple output formats
testssl.sh --jsonfile results.json --csvfile results.csv --htmlfile results.html example.comGenerate JSON, CSV, and HTML output simultaneously from a single scan run.
Protocol Testing
Test all protocols
testssl.sh -p example.comCheck which SSL/TLS protocols are supported (SSLv2, SSLv3, TLS 1.0 through 1.3). Reports each as offered or not offered.
Test for SSLv2 support
testssl.sh --ssl2 example.comCheck if the server supports SSLv2. This protocol is insecure and should always be disabled.
Test for SSLv3 support
testssl.sh --ssl3 example.comCheck if the server supports SSLv3. Vulnerable to POODLE and should be disabled.
Test for TLS 1.0 support
testssl.sh --tls1 example.comCheck if the server supports TLS 1.0. Considered deprecated; most compliance standards require disabling it.
Test for TLS 1.1 support
testssl.sh --tls1_1 example.comCheck if the server supports TLS 1.1. Also deprecated and being phased out by major browsers.
Test for TLS 1.2 support
testssl.sh --tls1_2 example.comCheck if the server supports TLS 1.2. Currently the most widely deployed secure protocol version.
Test for TLS 1.3 support
testssl.sh --tls1_3 example.comCheck if the server supports TLS 1.3. The latest and most secure protocol version with improved performance.
Cipher Testing
Test all ciphers per protocol
testssl.sh -E example.comCheck each cipher individually against the server, grouped by protocol. Comprehensive but time-consuming.
Test cipher suites per protocol (condensed)
testssl.sh -e example.comList accepted cipher suites per protocol in a more compact format than -E.
Check for NULL ciphers
testssl.sh --std NULL example.comTest for NULL cipher suites that provide no encryption. These should never be offered.
Check for anonymous ciphers
testssl.sh --std aNULL example.comTest for anonymous cipher suites that provide no authentication. Vulnerable to man-in-the-middle attacks.
Check for export ciphers
testssl.sh --std EXPORT example.comTest for weak export-grade ciphers with reduced key lengths. Related to FREAK and Logjam attacks.
Check all standard cipher categories
testssl.sh --std example.comTest for all standard cipher categories: NULL, anonymous, export, DES/3DES, RC4, and strong ciphers.
Vulnerability Testing
Test all vulnerabilities
testssl.sh -U example.comRun all vulnerability checks including Heartbleed, CCS injection, Ticketbleed, ROBOT, CRIME, BREACH, POODLE, DROWN, FREAK, Logjam, BEAST, LUCKY13, and RC4.
Test for Heartbleed (CVE-2014-0160)
testssl.sh --heartbleed example.comCheck for the Heartbleed vulnerability in OpenSSL. Allows attackers to read server memory contents.
Test for CCS Injection (CVE-2014-0224)
testssl.sh --ccs-injection example.comCheck for the ChangeCipherSpec injection vulnerability. Allows man-in-the-middle attacks on OpenSSL connections.
Test for Ticketbleed (CVE-2016-9244)
testssl.sh --ticketbleed example.comCheck for Ticketbleed vulnerability in F5 BIG-IP products. Leaks session IDs from server memory.
Test for ROBOT vulnerability
testssl.sh --robot example.comCheck for Return Of Bleichenbacher Oracle Threat. Allows decryption of RSA key exchange ciphertext.
Test for CRIME vulnerability
testssl.sh --crime example.comCheck for CRIME (TLS compression) and BREACH (HTTP compression) attacks. Exploits data compression to recover secrets.
Test for POODLE vulnerability
testssl.sh --poodle example.comCheck for POODLE (Padding Oracle On Downgraded Legacy Encryption) in SSLv3 and TLS. Exploits CBC padding.
Test for DROWN vulnerability
testssl.sh --drown example.comCheck for Decrypting RSA with Obsolete and Weakened eNcryption. Tests if SSLv2 exposure can compromise TLS sessions.
Test for FREAK vulnerability
testssl.sh --freak example.comCheck for Factoring RSA Export Keys vulnerability. Allows downgrade to weak export-grade RSA keys.
Test for Logjam vulnerability
testssl.sh --logjam example.comCheck for Logjam vulnerability that exploits weak Diffie-Hellman key exchange with export-grade parameters.
Test for BEAST vulnerability
testssl.sh --beast example.comCheck for Browser Exploit Against SSL/TLS. Exploits CBC cipher vulnerability in TLS 1.0 and earlier.
Test for Lucky13 vulnerability
testssl.sh --lucky13 example.comCheck for Lucky Thirteen timing attack on CBC mode ciphers in TLS and DTLS.
Test for RC4 cipher usage
testssl.sh --rc4 example.comCheck if the server offers RC4 cipher suites. RC4 has known biases and is prohibited by RFC 7465.
Certificate Analysis
Display certificate information
testssl.sh -S example.comShow detailed certificate information including subject, issuer, validity dates, SANs, key size, signature algorithm, and trust chain.
Check certificate chain completeness
testssl.sh -S --show-each example.comDisplay details for each certificate in the chain. Identifies missing intermediates or incorrect chain ordering.
Certificate transparency and OCSP stapling
testssl.sh -S example.comThe -S output includes Certificate Transparency (SCT) details and OCSP stapling status. Shows whether the server provides a stapled OCSP response for revocation checking.
Certificate and vulnerabilities combined
testssl.sh -S -U example.comCombine certificate analysis with vulnerability testing in a single run. Efficient for a targeted security review.
Server Preferences
Check server preferences
testssl.sh -P example.comDisplay server cipher order preference, negotiated protocol, and cipher for each protocol version.
Check forward secrecy support
testssl.sh -f example.comTest which forward secrecy cipher suites are supported. Forward secrecy ensures session keys are not compromised if the server private key is later exposed.
Server preferences and certificate together
testssl.sh -P -S example.comCombine server preference and certificate checks. Shows cipher order, ALPN/NPN negotiation, and certificate details together.
HTTP Header Analysis
Check HTTP security headers
testssl.sh -h example.comAnalyze HTTP security headers including HSTS, HPKP, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and X-XSS-Protection.
Headers and certificate together
testssl.sh -h -S example.comCombine HTTP header analysis with certificate information for a security overview of both transport and application layers.
Advanced Options
Test SMTP with STARTTLS
testssl.sh --starttls smtp smtp.example.com:25Test a mail server that upgrades a plaintext connection to TLS via STARTTLS. Specify the protocol before the hostname.
Test IMAP with STARTTLS
testssl.sh --starttls imap imap.example.com:143Test an IMAP mail server using STARTTLS on port 143.
Test POP3 with STARTTLS
testssl.sh --starttls pop3 pop3.example.com:110Test a POP3 server using STARTTLS on port 110.
Test FTP with STARTTLS
testssl.sh --starttls ftp ftp.example.com:21Test an FTP server using AUTH TLS/SSL on port 21.
Test XMPP with STARTTLS
testssl.sh --starttls xmpp xmpp.example.com:5222Test an XMPP (Jabber) server using STARTTLS on the default client port.
Test PostgreSQL with STARTTLS
testssl.sh --starttls postgres db.example.com:5432Test a PostgreSQL database server using STARTTLS for encrypted connections.
Specify SNI hostname
testssl.sh --sni example.com 192.168.1.1:443Set the Server Name Indication hostname when connecting to an IP address. Required for servers hosting multiple TLS sites.
Use a proxy
testssl.sh --proxy proxy.example.com:8080 example.comRoute the connection through an HTTP proxy. Supports CONNECT method for tunneling TLS through the proxy.
Specify a custom OpenSSL binary
testssl.sh --openssl /usr/local/bin/openssl example.comUse a specific OpenSSL binary instead of the bundled one. Useful for testing with different OpenSSL versions.
Mass testing from a file
testssl.sh --file hosts.txtTest multiple hosts listed in a file, one per line. Each line can include port and additional options. Lines beginning with # are treated as comments.
Parallel mass testing
testssl.sh --parallel --file hosts.txtRun mass testing with multiple hosts in parallel. Significantly faster for large lists of targets.
Set connection timeout
testssl.sh --connect-timeout 5 example.comSet the timeout in seconds for the initial TCP connection. Default is 5 seconds. Increase for slow or distant servers.
Set OpenSSL timeout
testssl.sh --openssl-timeout 10 example.comSet the timeout in seconds for each OpenSSL connection. Useful for slow-responding servers or complex handshakes.
Assume HTTP for header checks
testssl.sh --assume-http example.comForce testssl.sh to assume the service speaks HTTP, enabling header checks. Useful when testing non-standard ports that serve HTTPS.
Output and Reporting
Filter by severity level
testssl.sh --severity HIGH example.comOnly show findings at the specified severity level or above. Valid levels: LOW, MEDIUM, HIGH, CRITICAL.
Control color output
testssl.sh --color 0 example.comSet color output level: 0 (no color), 1 (no escape codes, for non-terminals), 2 (terminal color, default), 3 (extra color emphasis).
Save terminal output to log file
testssl.sh --logfile scan.log example.comSave the terminal output to a log file. Captures the same text you see on screen.
Append results to existing file
testssl.sh --append --jsonfile results.json example.comAppend new results to an existing output file instead of overwriting it. Works with JSON, CSV, and log files.
Pretty-print JSON output
testssl.sh --json-pretty --jsonfile results.json example.comWrite JSON output in a human-readable indented format instead of compact single-line format.
Wide output (show all details)
testssl.sh --wide example.comDisplay wider output with additional details for cipher listings and other results. Best viewed in a wide terminal window.
Batch Testing and Automation
Batch mode (suppress interactive prompts)
testssl.sh --warnings batch example.comSuppress interactive warnings and prompts. Essential when running testssl.sh in scripts or CI/CD pipelines.
Mass test with JSON output for CI/CD
testssl.sh --warnings batch --quiet --jsonfile results.json --file hosts.txtNon-interactive batch scan of multiple hosts with JSON output. Ideal for automated security pipelines and compliance checks.
CI/CD pipeline with severity filtering
testssl.sh --warnings batch --severity HIGH --jsonfile results.json example.comOnly report HIGH and CRITICAL findings in batch mode. Use the exit code to determine pass or fail in your pipeline.
Use exit codes for scripting
testssl.sh --warnings batch example.com
echo "Exit code: $?"testssl.sh returns meaningful exit codes: 0 for no issues found, and non-zero values indicating scan errors or connectivity issues. Parse output files for detailed finding severity.
Input file format for mass testing
# hosts.txt - one target per line
example.com
example.com:8443
192.168.1.1:443
smtp.example.com:25 --starttls smtp
# Lines starting with # are commentsFormat for the --file input. Each line contains a host with optional port and extra flags. Comments start with #.
Parallel batch testing with all output formats
testssl.sh --parallel --warnings batch --jsonfile results.json --csvfile results.csv --htmlfile report.html --file hosts.txtMaximum automation: parallel scanning with batch warnings suppressed and all output formats generated simultaneously.
Practical Examples
Quick security assessment
testssl.sh -p -S -U example.comFocused security check covering protocols, certificate, and vulnerabilities. Faster than a full scan while covering the most critical areas.
Full comprehensive scan with report
testssl.sh --wide --jsonfile full-audit.json example.comRun all default checks with wide output and save results to JSON. This is the most thorough scan available.
Compliance check for PCI DSS
testssl.sh -p -E -S -U --jsonfile pci-audit.json example.comThorough protocol, cipher, certificate, and vulnerability check suitable for PCI DSS compliance evidence. Review results for SSLv3, TLS 1.0/1.1, weak ciphers, and known vulnerabilities.
Test internal mail server
testssl.sh --starttls smtp --severity MEDIUM smtp.internal.example.com:25Test an internal SMTP server with STARTTLS, showing only MEDIUM severity issues and above. Useful for internal security audits.
Test a server behind a load balancer by IP
testssl.sh --sni www.example.com 10.0.0.5:443Connect directly to a backend server IP while setting the correct SNI hostname for virtual host selection.
Automated nightly security scan
#!/bin/bash
DATE=$(date +%Y-%m-%d)
testssl.sh --warnings batch --quiet \
--jsonfile "/var/log/tls-audit/$DATE.json" \
--htmlfile "/var/www/reports/$DATE.html" \
--severity MEDIUM \
--parallel \
--file /etc/testssl/targets.txtExample shell script for nightly automated scanning. Generates dated JSON and HTML reports with parallel execution.
Test only for deprecated protocols
testssl.sh --ssl2 --ssl3 --tls1 --tls1_1 example.comQuick check to verify deprecated protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1) are disabled. All of these should show as "not offered."
Docker-based scan (no installation required)
docker run --rm -ti drwetter/testssl.sh example.comRun testssl.sh from the official Docker image without installing locally. The image includes a bundled OpenSSL with all legacy protocol support.
See Also
Important Notes
Installation
testssl.sh is a bash script requiring no installation beyond cloning the repository. It bundles its own OpenSSL binary for consistent results. Install via git clone https://github.com/drwetter/testssl.sh.git or use the Docker image.
Bundled vs System OpenSSL
testssl.sh ships with its own OpenSSL binary that supports legacy protocols (SSLv2, SSLv3) for testing purposes. The system OpenSSL on modern distributions often has these disabled, which would limit testing capability.
Legal and Ethical Use
Only scan systems you own or have explicit authorization to test. testssl.sh performs active probing that may trigger security alerts or intrusion detection systems.
Scan Duration
A full default scan can take 2-10 minutes per host depending on the server and network conditions. Use specific check flags (-p, -S, -U) to run only the tests you need for faster results.
Rate Limiting and Firewalls
Some servers or WAFs may rate-limit or block testssl.sh connections. If you experience connection issues, increase timeouts with --connect-timeout and --openssl-timeout, or reduce the scan scope.
IPv6 Support
testssl.sh supports IPv6 targets. Use the -6 flag to prefer IPv6 connections when the target resolves to both IPv4 and IPv6 addresses.