Why testssl.sh is the Go-To Tool for Checking Your Server's Security

When it comes to securing your website, one of the most important things is ensuring that your SSL/TLS certificates are up-to-date and secure. But how can you ensure that your certificates are secure? Enter testssl.sh, a free and open-source command-line tool that checks a server's service on any port for the support of TLS/SSL ciphers, protocols, and cryptographic flaws.

In this article, we will explore the benefits and drawbacks of using testssl.sh and why it is a valuable tool for website owners.

Pros and Cons of Using testssl.sh:

Pros

1. Clear output: One of the main advantages of using testssl.sh is that it provides clear output, making it easy to determine whether anything is good or bad. This can help you quickly identify any issues with your SSL/TLS configuration.
2. Ease of installation: Another advantage of testssl.sh is that it is easy to install and works for Linux, Mac OSX, FreeBSD, NetBSD, and WSL/MSYS2/Cygwin out of the box. You don't need to install or configure anything, and there is no need for gems, CPAN, pip, or the like. For OpenBSD, you only need to post-install bash.
3. Flexibility: You can use testssl.sh to test any SSL/TLS enabled and STARTTLS service, not only webservers at port 443.
4. Toolbox: testssl.sh provides several command line options that help you to run your test and configure your output.
5. Reliability: testssl.sh's features are thoroughly tested, ensuring that you can rely on its results.
6. Privacy: You are the only one who sees the result. No third party has access to it.
7. Freedom: testssl.sh is 100% open-source. You can look at the code, see what's going on, and even change it. The development is also open (Github).

Cons

1. Command line only: testssl.sh is a command-line tool, which means that you need to be comfortable with using the command line to use it effectively.
2. Steep learning curve: While testssl.sh is easy to install, it does have a steep learning curve, and you need to have some knowledge of SSL/TLS to use it effectively.
3. Limited support: While testssl.sh is an open-source project, it is maintained by volunteers, so support can be limited.

Example usage

Testing a web server's SSL/TLS configuration: Suppose you have a web server running on example.com and you want to check its SSL/TLS configuration. You can use testssl.sh to do this by running the following command:

$ ./testssl.sh example.com

This will test the SSL/TLS configuration of the web server and provide you with a detailed report of its findings.

Testing a non-web service: testssl.sh is not just limited to web servers. You can also use it to test other SSL/TLS enabled services such as mail servers, LDAP servers, etc. For example, to test an LDAP server running on ldap.example.com, you can run the following command:

$ ./testssl.sh ldap.example.com:636

This will test the SSL/TLS configuration of the LDAP server running on port 636.

Running testssl.sh inside a Docker container: If you don't want to install testssl.sh on your system, you can run it inside a Docker container. To do this, you first need to install Docker on your system. Once you have Docker installed, you can run testssl.sh inside a Docker container by running the following command:

$ docker run --rm -t drwetter/testssl.sh example.com

This will run testssl.sh inside a Docker container and test the SSL/TLS configuration of example.com. The --rm flag tells Docker to automatically remove the container when it exits, and the -t flag allocates a pseudo-TTY for the container.

In summary, testssl.sh is an excellent open-source command-line tool for checking a server's support of TLS/SSL ciphers, protocols, and cryptographic flaws, among other things. It's highly portable and compatible with a variety of operating systems, making it easy to install and use. Additionally, its flexibility and toolbox of command-line options make it a versatile tool for testing any SSL/TLS-enabled and STARTTLS service, not just webservers at port 443.

The clear output, reliability, and privacy offered by testssl.sh are some of its key features. It also offers freedom since it's 100% open source and users can look at and modify the code. However, it's worth noting that it requires some prerequisite software, such as bash and OpenSSL, and may not work well on slower systems.

Overall, testssl.sh is an essential tool for anyone concerned about the security of their servers and the privacy of their clients' data. Its reliability and ease of use make it a top choice for security professionals and system administrators alike.