testssl.sh

testssl.sh is a command-line script that checks the TLS and SSL configuration of any server on any port. You point it at a hostname and port number, and it reports which protocol versions are supported, which cipher suites are available, and whether any known cryptographic weaknesses are present. The output is color-coded so you can see at a glance what is acceptable and what should be addressed.

The script requires only Bash and standard Unix tools like sed and awk. There is nothing to install or compile, and no package manager dependencies. It works on Linux, macOS, FreeBSD, and Windows via WSL2 or Cygwin. A Docker image is also available. Any version of OpenSSL or LibreSSL will work; the script no longer depends on specific OpenSSL capabilities for most of its checks.

A notable characteristic is that it is not limited to web servers on port 443. It can check any service that uses TLS, including mail servers running SMTP, IMAP, or POP3, database ports, and custom TCP services. This makes it useful for auditing infrastructure beyond typical HTTPS endpoints.

Output can be saved in several formats: plain terminal text, CSV, two different JSON variants, and HTML. The machine-readable formats make it practical to feed testssl.sh output into automated scanning pipelines or continuous integration checks.

The project runs under the GPLv2 license. The README notes that if you offer a public or paid scanning service built on testssl.sh, you are strongly encouraged to attribute the tool to maintain awareness and support for the project. Development currently happens in a branch called 3.3dev, which is the path toward a future stable release. The current stable version is 3.2.