The sys admin's daily grind – testssl.sh

A Key Role

Article from Issue 190/2016
Author(s):

Back in the day, integrating and function testing an SSL certificate was an easy thing to do. Now, you can use a shell script that talks plain English, despite the Babylonian confusion of key protocols and ciphers.

Web servers with SSL certificates will likely be the rule. The administrator's responsibility for keeping track of which SSL and TLS settings are up to date on which servers tends to grow proportionally. I have found a trusty helper for this task, testssl.sh [1], a shell script with many capabilities. For example, typing

testssl -U https://<server>

runs scan tests for popular exploits like Heartbleed, Poodle, and Crime (see output in Listing 1), and I can trigger each test option individually. To discover whether a server is vulnerable for Logjam, I would just type:

testssl.sh --logjam   <address>

Listing 1

testssl -U https://<server>

 

To test whether the server offers its ciphers in a defined order (from strong to weak), I type:

testssl -P <address>

Listing 2 shows the strongest encryption method the server was able to negotiate. The script additionally helps me discover whether the server supports HTTP/2 with:

testssl.sh -Y <address>

Listing 2

testssl -P <address>

 

It might then respond with Service detected: HTTP HTTP2/ALPN http/1.1 (offered).

The tests are not restricted to HTTPS. I can test a mail server like this:

testssl.sh --starttls smtp <address>

which gives me an equally good quality of analysis as for the web protocol – and it is very exhaustive in this case. If you don't specify any parameters testssl.sh runs through the whole arsenal of test routines (Figure 1).

Figure 1: Testssl.sh even checks mail server certificates.

Aha

Finally, a tip from the developer of testssl.sh: If you additionally install the aha [2] tool, you can easily convert the console output to HTML:

testssl.sh <address> | aha >  /<Path>/servertest.html

After wrapping this up in a small shell script, I can then use cron to check the TLS and SSL status of my servers on a weekly basis.

Infos

  1. Testssl.sh: https://github.com/drwetter/testssl.sh
  2. Aha: https://github.com/theZiz/aha

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: SSLScan

    If, like our author Charly, you manage SSL-secured servers, read on to discover a tool that you will definitely appreciate. It checks whether the complete security setup is up to date.

    more »
  • Charly's Column – Let's Encrypt

    Columnist Charly fights the fight for free SSL certificates with Let's Encrypt. He particularly likes the matching software client that takes care of everything – from certificate retrieval to web server integration.

    more »
  • Charly's Column – Precise Timekeeping

    After the idea of procuring an atomic clock failed to thrill the other members of Charly's household, our intrepid columnist simply decided to tap into the timekeeping of a GPS satellite. In doing so, he ensured the kind of punctuality at home that only large data centers actually need. Precisely.

    more »
  • The sys admin's daily grind: DNSDiag

    If some transactions take an inexplicably long time, you don't have to blame yourself for the delayed transmission of user data. Name resolution issues might be to blame. Sys admin Charly has three tools to study the DNS server.

    more »
  • The sysadmin's daily grind: Pi-hole

    A strange rule seems to dictate that the most useless products and services have the most annoying online advertising. Columnist Charly blocks the garish advertising for all computers on his network centrally with the Pi-hole tool, which is not only for Raspberry Pi devices.

    more »
comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

Linux Administration

News

Tag Cloud

Administration Community Events Hardware Linux Linux New Media Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source