explaingit

testssl/testssl.sh

9,033ShellAudience · ops devopsComplexity · 1/5LicenseSetup · easy

TLDR

testssl.sh is a Bash script that checks any server's TLS and SSL configuration, supported protocol versions, cipher suites, and known security weaknesses, with no installation or dependencies beyond standard Unix tools.

Mindmap

mindmap
  root((testssl.sh))
    What it does
      Checks TLS config
      Finds weak ciphers
      Color-coded output
    Scope
      Any port any service
      Web mail custom TCP
    Output Formats
      JSON CSV HTML
      Plain terminal text
    Use Cases
      Web server audit
      Mail server check
      CI pipeline scanning
    Requirements
      Bash only
      No install needed
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Audit your web server's HTTPS configuration from the command line to find outdated protocol versions or weak cipher suites

USE CASE 2

Check TLS on a mail server's SMTP or IMAP port, not just port 443, to catch security gaps in non-web services

USE CASE 3

Export results as JSON or CSV and feed them into an automated CI pipeline to catch TLS regressions before deployment

USE CASE 4

Run a one-off TLS health check on any hostname and port with no installation step, package manager, or root access needed

Tech stack

ShellBashOpenSSL

Getting it running

Difficulty · easy Time to first run · 5min
Free to use and share, but any modified version you distribute must also be released under the same GPLv2 license.

In plain English

testssl.sh is a command-line script that checks the TLS and SSL configuration of any server on any port. You point it at a hostname and port number, and it reports which protocol versions are supported, which cipher suites are available, and whether any known cryptographic weaknesses are present. The output is color-coded so you can see at a glance what is acceptable and what should be addressed. The script requires only Bash and standard Unix tools like sed and awk. There is nothing to install or compile, and no package manager dependencies. It works on Linux, macOS, FreeBSD, and Windows via WSL2 or Cygwin. A Docker image is also available. Any version of OpenSSL or LibreSSL will work, the script no longer depends on specific OpenSSL capabilities for most of its checks. A notable characteristic is that it is not limited to web servers on port 443. It can check any service that uses TLS, including mail servers running SMTP, IMAP, or POP3, database ports, and custom TCP services. This makes it useful for auditing infrastructure beyond typical HTTPS endpoints. Output can be saved in several formats: plain terminal text, CSV, two different JSON variants, and HTML. The machine-readable formats make it practical to feed testssl.sh output into automated scanning pipelines or continuous integration checks. The project runs under the GPLv2 license. The README notes that if you offer a public or paid scanning service built on testssl.sh, you are strongly encouraged to attribute the tool to maintain awareness and support for the project. Development currently happens in a branch called 3.3dev, which is the path toward a future stable release. The current stable version is 3.2.

Copy-paste prompts

Prompt 1
Run testssl.sh against my server at example.com port 443 and explain what each color-coded finding in the output means for my site's security.
Prompt 2
Show me how to use testssl.sh to check my mail server's SMTP TLS on port 587 and interpret the cipher suite results it reports.
Prompt 3
Help me write a CI job that runs testssl.sh against my server and fails the build if any critical TLS vulnerabilities are detected, outputting results as JSON.
Prompt 4
I need to scan 20 servers with testssl.sh and save a separate report for each one, show me a shell script that loops over hostnames and saves per-host HTML reports.
Open on GitHub → Explain another repo

← testssl on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.