### Perform STARTTLS checks Source: https://github.com/testssl/testssl.sh/wiki/Usage-Documentation Examples of running STARTTLS checks for various protocols. ```bash testssl.sh -t pop3 pop.o2online.de:110 ``` ```bash testssl.sh --starttls smtp .:587 ``` ```bash testssl.sh --starttls ftp .:21 ``` ```bash testssl.sh -t xmpp .:5222 ``` ```bash testssl.sh -t xmpp --xmpphost .:5222 ``` ```bash testssl.sh --starttls imap .:143 ``` -------------------------------- ### Example of nmap grepable input format Source: https://github.com/testssl/testssl.sh/wiki/Man-page A sample of how input lines should be formatted when using the --file option with nmap grepable output. ```text 10.10.12.16:443 10.10.12.16:1443 -t smtp host.example.com:25 host.example.com:443 host.example.com:631 -t ftp 10.10.12.11:21 10.10.12.11:8443 ``` -------------------------------- ### Get Operating System Info Source: https://github.com/testssl/testssl.sh/wiki/Bug-reporting Use the uname command to gather detailed information about your operating system. This is crucial for reproducing environment-specific bugs. ```bash uname -a ``` -------------------------------- ### Example Client Hello Handshake Bytes Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt A raw byte string representing a Client Hello handshake message, likely used for testing or debugging TLS connections. ```hex 1603010200010001fc03035695ccca492a68de5adfabb7e70c87b694974ddb17344e9f8d80d51aa64a881d204aca76c4eec10c3b9851b5f02fe71f371d896ba7c9c5a8cd78370b4af27896d60034130313011302c02cc02bc024c023c00ac009cca9c030c02fc028c027c014c013cca8009d009c003d003c0035002fc008c012000a0100017fff0100010000000010000e00000b6369706865726c692e737400170000000d0018001604030804040105030203080508050501080606010201000500050100000000337400000012000000100030002e0268320568322d31360568322d31350568322d313408737064792f332e3106737064792f3308687474702f312e31000b00020100003300260024001d00204090ee7a8be9431345ddcec031c3024ad13d968357e337da3882606afd91405f002d00020101002b0009080304030303020301000a000a0008001d0017001800190015004d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000029005b002600205d10265edd7f80daa4cb33e036860f0817903b6f7ffeeaf69977cef1170892485c26fc13003130de816ac91ce4c32f5f7beb18209f6d917cb15fe2a0fd624d5500c64a583899aae55a1d64921d86878eccd66004f1b27f ``` -------------------------------- ### Bash Parameter Substitution Example Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Coding_Convention.md Demonstrates using Bash's internal parameter substitution features to avoid external utilities like `tr`, `sed`, or `awk` for string manipulation. ```bash IFS=, read -ra a b c <<< "$line_with_comma" ``` -------------------------------- ### Check for Binary Availability in testssl.sh Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Coding_Convention.md Ensures that an external binary is available on the system before attempting to use it. This example shows how to check for the `timeout` command. ```bash timeout ``` -------------------------------- ### Run testssl.sh from Docker Hub Source: https://context7.com/testssl/testssl.sh/llms.txt Pull and run testssl.sh directly from GitHub Container Registry without local installation. Use standard testssl.sh options as arguments. ```bash docker run --rm -it ghcr.io/testssl/testssl.sh example.com ``` ```bash docker run --rm -it ghcr.io/testssl/testssl.sh -U --wide example.com ``` -------------------------------- ### Configure OpenSSL Timeout Source: https://github.com/testssl/testssl.sh/blob/3.3dev/doc/testssl.1.md Sets the maximum time in seconds for OpenSSL connections to prevent hanging. Requires the timeout binary to be installed on the OS. ```bash --openssl-timeout ``` -------------------------------- ### Get OpenSSL Version Source: https://github.com/testssl/testssl.sh/wiki/Bug-reporting This command extracts the OpenSSL version used by testssl.sh. It filters the output to get the relevant lines. ```bash testssl.sh -b 2>/dev/null | head -16 | tail -3 ``` -------------------------------- ### Execute testssl.sh with options Source: https://github.com/testssl/testssl.sh/wiki/Usage-Documentation Demonstrates the syntax for passing options and a URI to the script. ```bash testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl ``` -------------------------------- ### Run testssl.sh Container Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Dockerfile.md Execute the testssl.sh container with default options (equivalent to --help). The container's entrypoint is pre-configured. ```bash docker run --rm -it ghcr.io/testssl/testssl.sh:3.2 github.com ``` -------------------------------- ### Build and run testssl.sh from local source Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Readme.md Builds a local Docker image from the cloned repository and executes it. ```bash docker build . -t imagefoo && docker run --rm -t imagefoo testssl.net ``` -------------------------------- ### Run Client Simulation Tests Source: https://context7.com/testssl/testssl.sh/llms.txt Simulate connections from various browsers and clients to test compatibility. Use the --wide flag for better formatted output. Set ALL_CLIENTS=true to run with all available client handshakes. ```bash ./testssl.sh -c example.com ``` ```bash ./testssl.sh --wide -c example.com ``` ```bash ALL_CLIENTS=true ./testssl.sh -c example.com ``` -------------------------------- ### Filter output by severity level Source: https://context7.com/testssl/testssl.sh/llms.txt Filter the testssl.sh output to include only findings of a specific severity level, such as HIGH. This example also specifies JSON output. ```bash ./testssl.sh --severity HIGH --json example.com ``` -------------------------------- ### Build testssl.sh Docker Image Locally Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Dockerfile.md Clone the repository and build the Docker image using a standard Dockerfile. Tagging the image simplifies referencing. ```bash mkdir /tmp/testssl && cd /tmp/testssl git clone --branch 3.2 --depth 1 https://github.com/testssl/testssl.sh . docker build --tag localhost/testssl.sh:3.2 . ``` -------------------------------- ### Build and run testssl.sh from source in Docker Source: https://context7.com/testssl/testssl.sh/llms.txt Clone the testssl.sh repository, build a Docker image from the source, and run the container. This is useful for testing the latest development version. ```bash git clone --depth 1 https://github.com/testssl/testssl.sh.git cd testssl.sh docker build -t testssl.sh . docker run --rm -it testssl.sh example.com ``` -------------------------------- ### Java SSL Socket Client Example Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/README.md A basic Java client implementation for generating a TLS/SSL handshake. This code is sourced from Oracle documentation and is provided for convenience. ```java import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; import java.security.cert.Certificate; import javax.net.ssl.SSLSocketFactory; public class SSLSocketClient { public static void main(String[] args) { SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); try (Socket socket = factory.createSocket("example.com", 443)) { try (OutputStream out = socket.getOutputStream(); InputStream in = socket.getInputStream()) { // Send a simple HTTP GET request String request = "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"; out.write(request.getBytes()); out.flush(); // Read the response byte[] buffer = new byte[4096]; int bytesRead; while ((bytesRead = in.read(buffer)) != -1) { System.out.write(buffer, 0, bytesRead); } System.out.println(); // Print the server's certificate chain Certificate[] certs = socket.getSession().getPeerCertificates(); System.out.println("Server's certificate chain:"); for (int i = 0; i < certs.length; i++) { System.out.println("-----------------------------------------"); System.out.println("Certificate " + (i + 1) + ": " + certs[i].toString()); } } catch (IOException x) { System.err.println(x); } } catch (IOException x) { System.err.println(x); } } } ``` -------------------------------- ### Bash Regex Matching Example Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Coding_Convention.md Illustrates using Bash's built-in regular expression matching capabilities. Avoid quoting on the right-hand side for regex matching. ```bash =~ ``` -------------------------------- ### STARTTLS on SMTP Source: https://github.com/testssl/testssl.sh/blob/3.3dev/doc/testssl.1.md Tests the STARTTLS handshake for SMTP on the plain text port 25, checking all available IP addresses for the specified host. ```bash testssl.sh -t smtp smtp.gmail.com:25 ``` -------------------------------- ### Android 10.0 Client Simulation Placeholder Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt Placeholder for Android 10.0 client simulation configuration. This entry indicates that configurations for Android 10.0 are intended but not detailed in this snippet. ```bash names+=("Android 10.0 (native)") short+=("android_X") ``` -------------------------------- ### List and Search Local OpenSSL Ciphers Source: https://context7.com/testssl/testssl.sh/llms.txt Inspect the available ciphers in your local OpenSSL installation. You can list all ciphers or search for specific patterns, including hex codes. ```bash ./testssl.sh -V ``` ```bash ./testssl.sh -V "AES" ``` ```bash ./testssl.sh -V "GCM" ``` ```bash ./testssl.sh -V "256" ``` ```bash ./testssl.sh -V "0x009f" ``` ```bash ./testssl.sh -V "CHACHA20" ``` ```bash ./testssl.sh -V "ECDHE" ``` ```bash ./testssl.sh --openssl /path/to/openssl -V "TLS13" ``` -------------------------------- ### Build and run Alpine-based Docker image Source: https://context7.com/testssl/testssl.sh/llms.txt Build a smaller, Alpine Linux-based Docker image for testssl.sh. This can reduce download size and container footprint. ```bash docker build -f Dockerfile.alpine -t testssl.sh:alpine . ``` -------------------------------- ### Server Preference and Defaults Source: https://github.com/testssl/testssl.sh/blob/3.3dev/doc/testssl.1.html Options to display server preferences and default settings. ```APIDOC ## -P, --server-preference, --preference ### Description Displays the server's cipher order preferences for each protocol, along with the OpenSSL client and negotiated protocol/cipher. If no cipher order is enforced, it shows which ciphers were picked by the server for each protocol. ### Method N/A (Command-line option) ### Endpoint N/A ### Request Example ```bash testssl.sh --server-preference example.com ``` ### Response #### Success Response - **Server Preferences** (object) - Details on server-enforced cipher order and negotiated protocols/ciphers. #### Response Example ```json { "server_preferences": { "tlsv1_2": { "cipher_order_enforced": true, "preferred_ciphers": "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" } } } ``` ## -S, --server_defaults ### Description Displays information from the server hello(s), including available TLS extensions, session ID/resumption capabilities, TLS 1.3 early data, time skew, and extensive certificate details (signature algorithm, key size, usage, fingerprints, serial, CN, SAN, issuer, trust, EV detection, validity, revocation info, CAA, and Certificate Transparency info). ### Method N/A (Command-line option) ### Endpoint N/A ### Parameters #### Command-line Options - **--phone-out** (flag) - Optional - Checks certificate issuer for revocation status (plain OCSP, CRL). ### Request Example ```bash testssl.sh --server_defaults example.com ``` ### Response #### Success Response - **Server Defaults** (object) - Comprehensive details from server hello and certificate information. #### Response Example ```json { "server_defaults": { "tls_extensions": ["server_name", "ec_point_formats"], "session_resumption": "Supported", "tls1_3_early_data": "Not Supported", "certificate": { "signature_algorithm": "sha256WithRSAEncryption", "key_size": 2048, "validity_days_remaining": 180, "issuer": "Let's Encrypt Authority X3", "subject_cn": "example.com", "san_dns": ["example.com", "www.example.com"] }, "revocation_info": { "ocsp_stapling": "Supported" } } } ``` ``` -------------------------------- ### Get testssl.sh Banner Source: https://github.com/testssl/testssl.sh/wiki/Bug-reporting Use this command to retrieve the testssl.sh banner, which includes version information. Redirect errors to /dev/null and take the second to last line of the first four lines. ```bash testssl.sh -b 2>/dev/null | head -4 | tail -2 ``` -------------------------------- ### Android 7.0 Client Simulation Configuration Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt Defines the client hello cipher suites, handshake bytes, and supported protocols for Android 7.0. This configuration is used for simulating a native Android 7.0 client. ```bash names+=("Android 7.0 (native)") short+=("android_70") ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA") ciphersuites+=("") ch_sni+=("$SNI") warning+=("") handshakebytes+=("160301009d0100009903036cea0f867ae9fdd087adedaa810119e62971b36c0486d44fb3099e51403c8a1e000018c02bc02ccca9c02fc030cca8c013c014009c009d002f003501000058ff010001000000000d000b00000873796e6f642e696d0017000000230000000d0016001406010603050105030401040303010303020102030010000e000c02683208687474702f312e31000b00020100000a000400020017") protos+=("-no_ssl3 -no_ssl2") tlsvers+=("-tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0303") alpn+=("h2,http/1.1") service+=("HTTP,FTP") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) maxRsaBits+=(-1) minEcdsaBits+=(-1) curves+=("prime256v1") requiresSha2+=(false) current+=(true) ``` -------------------------------- ### Test FTP STARTTLS Source: https://context7.com/testssl/testssl.sh/llms.txt Test TLS security on FTP services using STARTTLS upgrade from plaintext. The default port is 21. ```bash ./testssl.sh -t ftp ftp.example.com:21 ``` -------------------------------- ### Define Client Hello Ciphers for OpenSSL 1.1.1d Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt Sets the Client Hello ciphers for OpenSSL 1.1.1d (Debian). ```bash ch_ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA") ``` -------------------------------- ### Test POP3 STARTTLS Source: https://context7.com/testssl/testssl.sh/llms.txt Test TLS security on POP3 services using STARTTLS upgrade from plaintext. The default port is 110. ```bash ./testssl.sh -t pop3 pop.example.com:110 ``` -------------------------------- ### Define Service for OpenSSL 1.1.1d Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt Sets the service to be tested for OpenSSL 1.1.1d (Debian) to ANY. ```bash service+=("ANY") ``` -------------------------------- ### Handle Warnings and Set Output File Prefix Source: https://context7.com/testssl/testssl.sh/llms.txt Configure how warnings are displayed, from non-interactive batch mode to completely disabling them. Set a custom prefix for output files, such as JSON reports. ```bash WARNINGS=batch ./testssl.sh example.com ``` ```bash WARNINGS=off ./testssl.sh example.com ``` ```bash FNAME_PREFIX="scan_2024" ./testssl.sh --json example.com ``` -------------------------------- ### Android 9.0 Client Simulation Configuration Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt Configuration for Android 9.0 native client simulation, including a broader set of cipher suites and support for TLS 1.3. Note the inclusion of TLS_AES_128_GCM_SHA256 and other modern cipher suites. ```bash names+=("Android 9.0 (native)") short+=("android_90") ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") ch_sni+=("$SNI") warning+=("") handshakebytes+=("1603010246010002420303d6259dca682ab368c7e095da7189996da830514896063d4acdc83cb5d2c2568d2041a787bf8dd3d7a1ceda514a6606f1068432a13063ea320fd7e7b367af47ecae00220a0a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001d77a7a00000000001e001c0000196c68332e676f6f676c6575736572636f6e74656e742e636f6d00170000ff01000100000a000a0008aaaa001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029aaaa000100001d00203e67895a11e9ce5c69df2995782adaddb7a03ef30b245000ca332d5940ecff20002d00020101002b000b0aeaea0304030303020301001b00030200026a6a0001000029010500e000da001c9941f6b101f853f370851e583bd22e03150fc67298947270c6058707fe1670efe590d777a34b9e2e2d0ec6aa8d0ddc375c2535934c75c9623d1a271f735417fdd9190dae7f4c8541c262f8fbfeee2e820f54f59f68e78503f5c093f6084037be22c20dad3d057f64dc73f2dd45948e27c707f3f2107b32040a21fa9c1273e7797aaf5a5bc8994e9eafc4bd43b2951e10f952564a910f146344ec6d0c49f75fc6a070c75f0ffdd84fe9e10f77c23f1062e90f9e1e396eddb84d8ac00bf7ac87c557622dd18c54bbc229268699c60434648b279dd86e996baee9d1c155002120235d43319c7d5bb4725a52fa782468cd2280bd622c40a36296b354759f6d4389") protos+=("-no_ssl3 -no_ssl2") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("ANY") minDhBits+=(-1) maxDhBits+=(-1) minRsaBits+=(-1) maxRsaBits+=(-1) minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) current+=(true) ``` -------------------------------- ### Define Chrome 101 Client Configuration Source: https://github.com/testssl/testssl.sh/blob/3.3dev/etc/client-simulation.wiresharked.txt Configures the handshake parameters and capabilities for a Chrome 101 on Windows 10 simulation. ```bash handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") protos+=("-no_ssl3 -no_ssl2") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") lowest_protocol+=("0x0301") highest_protocol+=("0x0304") alpn+=("h2,http/1.1") service+=("HTTP") minDhBits+=(1024) maxDhBits+=(-1) minRsaBits+=(-1) maxRsaBits+=(-1) minEcdsaBits+=(-1) curves+=("X25519:secp256r1:secp384r1") requiresSha2+=(false) current+=(true) names+=("Chrome 101 (Win 10)") short+=("chrome_101_win10") ch_ciphers+=("ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA") ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256") ch_sni+=("$SNI") warning+=("") ``` -------------------------------- ### Run testssl.sh via Docker Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Readme.md Executes testssl.sh using pre-built images from container registries. ```bash docker run --rm -it ghcr.io/testssl/testssl.sh ``` -------------------------------- ### Test LDAP STARTTLS Source: https://context7.com/testssl/testssl.sh/llms.txt Test TLS security on LDAP services using STARTTLS upgrade from plaintext. The default port is 389. ```bash ./testssl.sh -t ldap ldap.example.com:389 ``` -------------------------------- ### STARTTLS on IMAP Source: https://github.com/testssl/testssl.sh/blob/3.3dev/doc/testssl.1.md Performs a security scan using STARTTLS on the plain text IMAP port 143 for a given host. ```bash testssl.sh --starttls=imap imap.gmx.net:143 ``` -------------------------------- ### Build testssl.sh Image with Remote Context Source: https://github.com/testssl/testssl.sh/blob/3.3dev/Dockerfile.md Build the Docker image directly from a Git repository URL using a single command. Note that .dockerignore is not supported with remote build contexts. ```bash docker build --tag localhost/testssl.sh:3.2 https://github.com/testssl/testssl.sh.git#3.2 ```