Tuesday, February 1, 2022

Testing SSL configuration using testssl.sh

SSL is an important part of web application security nowadays. Many tools are available to test out our SSL configuration, but almost all of the tools are web based. One of the great tool that I found that can be used out of a terminal, is called testssl.sh.

Some of the benefits of using testssl.sh
  1. easy installation, even available as docker image
  2. easy usage
  3. fast
  4. clear and detailed output
  5. free
  6. open source
  7. privacy - your test, your result, only you can see it
To use this tool, simply download it:
$ wget https://testssl.sh/testssl.sh-3.0.7.tar.gz

And deploy it anywhere on your linux machine

$ tar xvf testssl.sh-3.0.7.tar.gz

Make it easier to access

$ ln -s testssl.sh-3.0.7 testssl

And we are good to go. To use it, just run the command, and provide the url we want to test against the command

$ cd testssl 

$ ./testssl.sh https://mysslwebsite.com

Once we have the result, just fix the "NOT Ok" part, and rerun the above command. Rinse and repeat until you are fully satisfied with your ssl configuration. 

To get a visually better results with grading, just run the qualys ssl server test once you have fully tuned your ssl configuration with testssl.sh.

No comments: