The sys admin's daily grind – testssl.sh
A Key Role

Back in the day, integrating and function testing an SSL certificate was an easy thing to do. Now, you can use a shell script that talks plain English, despite the Babylonian confusion of key protocols and ciphers.
Web servers with SSL certificates will likely be the rule. The administrator's responsibility for keeping track of which SSL and TLS settings are up to date on which servers tends to grow proportionally. I have found a trusty helper for this task, testssl.sh
[1], a shell script with many capabilities. For example, typing
testssl -U https://<server>
runs scan tests for popular exploits like Heartbleed, Poodle, and Crime (see output in Listing 1), and I can trigger each test option individually. To discover whether a server is vulnerable for Logjam, I would just type:
testssl.sh --logjam <address>
Listing 1
testssl -U https://<server>
To test whether the server offers its ciphers in a defined order (from strong to weak), I type:
testssl -P <address>
Listing 2 shows the strongest encryption method the server was able to negotiate. The script additionally helps me discover whether the server supports HTTP/2 with:
testssl.sh -Y <address>
Listing 2
testssl -P <address>
It might then respond with Service detected: HTTP HTTP2/ALPN http/1.1 (offered).
The tests are not restricted to HTTPS. I can test a mail server like this:
testssl.sh --starttls smtp <address>
which gives me an equally good quality of analysis as for the web protocol – and it is very exhaustive in this case. If you don't specify any parameters testssl.sh runs through the whole arsenal of test routines (Figure 1).

Aha
Finally, a tip from the developer of testssl.sh: If you additionally install the aha [2] tool, you can easily convert the console output to HTML:
testssl.sh <address> | aha > /<Path>/servertest.html
After wrapping this up in a small shell script, I can then use cron to check the TLS and SSL status of my servers on a weekly basis.
Infos
- Testssl.sh: https://github.com/drwetter/testssl.sh
- Aha: https://github.com/theZiz/aha
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
Linux Mint 19.3 Will be Released by Christmas
The developers behind Linux Mint have announced 19.3 will be released by Christmas 2019.
-
Linux Kernel 5.4 Released
A number of new changes and improvements have reached the Linux kernel.
-
System76 To Design And Build Laptops In-House
In-house designed and built laptops coming from System76.
-
News and views on the GPU revolution in HPC and Big Data:
-
The PinePhone Pre-Order has Arrived
Anyone looking to finally get their hands on an early release of the PinePhone can do so as of November 15.
-
Microsoft Edge Coming to Linux
Microsoft is bringing it’s new Chromium-based Edge browser to Linux.
-
Open Invention Network Backs Gnome Project Against Patent Troll
OIN has deployed its legal team to find prior art.
-
Fedora 31 Released
The latest version of Fedora comes with new packages and libraries.
-
openSUSE OBS Can Now Build Windows WSL Images
openSUSE enables developers to build their own WSL distributions.
-
Sudo Vulnerability
A vulnerability in the sudo package gives sudo users more powers than they deserve.