.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.2. .TH TESTSSL "1" "September 2015" "testssl " "User Commands" .SH NAME testssl \- Command line tool to check TLS/SSL ciphers, protocols and cryptographic flaws .SH DESCRIPTION testssl is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Key features: * Clear output: you can tell easily whether anything is good or bad * Ease of installation: It works for Linux, Darwin, FreeBSD and MSYS2/Cygwin out of the box: no need to install or configure something, no gems, CPAN, pip or the like. * Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443 * Toolbox: Several command line options help you to run YOUR test and configure YOUR output * Reliability: features are tested thoroughly * Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you'll get a warning * Privacy: It's only you who sees the result, not a third party * Freedom: It's 100% open source. You can look at the code, see what's going on and you can change it. Heck, even the development is open (github) .TP \fB\-h\fR, \fB\-\-help\fR what you're looking at .TP \fB\-b\fR, \fB\-\-banner\fR displays banner + version of testssl .TP \fB\-v\fR, \fB\-\-version\fR same as previous .TP \fB\-V\fR, \fB\-\-local\fR pretty print all local ciphers .TP \fB\-V\fR, \fB\-\-local\fR which local ciphers with are available? (if pattern not a number: word match) .PP testssl URI ("testssl URI" does everything except \fB\-E\fR) .TP \fB\-e\fR, \fB\-\-each\-cipher\fR checks each local cipher remotely .TP \fB\-E\fR, \fB\-\-cipher\-per\-proto\fR checks those per protocol .TP \fB\-f\fR, \fB\-\-ciphers\fR checks common cipher suites .TP \fB\-p\fR, \fB\-\-protocols\fR checks TLS/SSL protocols .TP \fB\-S\fR, \fB\-\-server_defaults\fR displays the servers default picks and certificate info .TP \fB\-P\fR, \fB\-\-preference\fR displays the servers picks: protocol+cipher .TP \fB\-y\fR, \fB\-\-spdy\fR, \fB\-\-npn\fR checks for SPDY/NPN .TP \fB\-x\fR, \fB\-\-single\-cipher\fR tests matched of ciphers (if not a number: word match) .TP \fB\-U\fR, \fB\-\-vulnerable\fR tests all vulnerabilities .TP \fB\-B\fR, \fB\-\-heartbleed\fR tests for heartbleed vulnerability .TP \fB\-I\fR, \fB\-\-ccs\fR, \fB\-\-ccs\-injection\fR tests for CCS injection vulnerability .TP \fB\-R\fR, \fB\-\-renegotiation\fR tests for renegotiation vulnerabilities .TP \fB\-C\fR, \fB\-\-compression\fR, \fB\-\-crime\fR tests for CRIME vulnerability .TP \fB\-T\fR, \fB\-\-breach\fR tests for BREACH vulnerability .TP \fB\-O\fR, \fB\-\-poodle\fR tests for POODLE (SSL) vulnerability .TP \fB\-Z\fR, \fB\-\-tls\-fallback\fR checks TLS_FALLBACK_SCSV mitigation .TP \fB\-F\fR, \fB\-\-freak\fR tests for FREAK vulnerability .TP \fB\-A\fR, \fB\-\-beast\fR tests for BEAST vulnerability .TP \fB\-J\fR, \fB\-\-logjam\fR tests for LOGJAM vulnerability .TP \fB\-s\fR, \fB\-\-pfs\fR, \fB\-\-fs\fR,\-\-nsa checks (perfect) forward secrecy settings .TP \fB\-4\fR, \fB\-\-rc4\fR, \fB\-\-appelbaum\fR which RC4 ciphers are being offered? .TP \fB\-H\fR, \fB\-\-header\fR, \fB\-\-headers\fR tests HSTS, HPKP, server/app banner, security headers, cookie, reverse proxy, IPv4 address .IP special invocations: .TP \fB\-t\fR, \fB\-\-starttls\fR does a default run against a STARTTLS enabled .TP \fB\-\-xmpphost\fR for STARTTLS enabled XMPP it supplies the XML stream to\-'' domain \fB\-\-\fR sometimes needed .TP \fB\-\-mx\fR tests MX records from high to low priority (STARTTLS, port 25) .TP \fB\-\-ip\fR a) tests the supplied instead of resolving host(s) in URI b) arg "one" means: just test the first DNS returns (useful for multiple IPs) .TP \fB\-\-file\fR mass testing option: Just put multiple testssl command lines in , one line per instance. Comments via # allowed, EOF signals end of . .PP partly mandatory parameters: .TP URI host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified) .TP pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits .TP protocol is one of ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl) .PP tuning options: .TP \fB\-\-assuming\-http\fR if protocol check fails it assumes HTTP protocol and enforces HTTP checks .TP \fB\-\-ssl\-native\fR fallback to checks with OpenSSL where sockets are normally used .TP \fB\-\-openssl\fR use this openssl binary (default: look in $PATH, $RUN_DIR of testssl .TP \fB\-\-proxy\fR : connect via the specified HTTP proxy .TP \fB\-\-sneaky\fR be less verbose wrt referer headers .TP \fB\-\-quiet\fR don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner .TP \fB\-\-wide\fR wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name .TP \fB\-\-show\-each\fR for wide outputs: display all ciphers tested \fB\-\-\fR not only succeeded ones .TP \fB\-\-warnings\fR "batch" doesn't wait for keypress, "off" or "false" skips connection warning .TP \fB\-\-color\fR <0|1|2> 0: no escape or other codes, 1: b/w escape codes, 2: color (default) .TP \fB\-\-debug\fR <0\-6> 1: screen output normal but debug output in temp files. 2\-6: see line ~105 .PP All options requiring a value can also be called with '=' (e.g. testssl \fB\-t\fR=\fI\,smtp\/\fR \fB\-\-wide\fR \fB\-\-openssl=\fR/usr/bin/openssl . is always the last parameter. .PP Need HTML output? Just pipe through "aha" (Ansi HTML Adapter: github.com/theZiz/aha) like .IP "testssl | aha >output.html" .SH AUTHOR This manual page was written by ChangZhuo Chen for the Debian GNU/Linux system (but may be used by others).