Testssl.sh a wrapper around openssl to validate sites

(Baptiste Grenier) #1

https://testssl.sh/ is a wrapper around OpenSSL allowing to ease its usage to study/validate server configuration.

# Useful for validating a host with an IGTF certificate
export CA_BUNDLES_PATH=/etc/grid-security/certificates
 testssl.sh --quiet -S accounting.egi.eu:443

 Start 2018-12-13 11:37:25        -->> 193.144.35.73:443 (accounting.egi.eu) <<--

 rDNS (193.144.35.73):   --
 Service detected:       HTTP


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
 Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               -1 sec from localtime
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Fingerprint / Serial         SHA1 57C4D2C8B650D3E03061B66A45B3C99C01D33B06 / 0AAEBDDF1AB68F9F3AE8FFCD0FF32E55
                              SHA256 986E9B196059AF8B12C811786FE21349093479EC00045FB8637C414170BE048F
 Common Name (CN)             accounting.egi.eu
 subjectAltName (SAN)         accounting.egi.eu accounting-support.egi.eu accounting-next.egi.eu
 Issuer                       TERENA eScience SSL CA 3 (TERENA from NL)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               NOT ok: AC-GRID-FR-Personnels (chain incomplete) AC-GRID-FR-Robots (chain incomplete) AC-GRID-FR-Services (chain incomplete) AC-GRID-FR (chain incomplete) AEGIS (chain incomplete) ANSPGrid (chain incomplete) ASGCCA-2007 (chain incomplete) AddTrust-External-CA-Root (chain incomplete) ArmeSFo (chain incomplete) AustrianGrid (chain incomplete) BG-ACAD-CA (chain incomplete) BYGCA (chain incomplete) CERN-GridCA (chain incomplete) CERN-Root-2 (chain incomplete) CESNET-CA-3 (chain incomplete) CESNET-CA-Root (chain incomplete) CNIC (chain incomplete) CNRS2-Grid-FR (chain incomplete) CNRS2-Projets (chain incomplete) CNRS2 (chain incomplete) COMODO-RSA-CA (chain incomplete) CyGrid (chain incomplete) DCAROOT-G1 (chain incomplete) DFN-GridGermany-Root (chain incomplete) DZeScience (chain incomplete) DarkMatterAssuredCA (chain incomplete) DarkMatterIGTFCA (chain incomplete) DarkMatterPrivateRootCAG4 (chain incomplete) DarkMatterSecureCA (chain incomplete) DigiCertGridCA-1-Classic (chain incomplete) DigiCertGridCA-1G2-Classic-2015 (chain incomplete) DigiCertGridRootCA-Root (chain incomplete) DigiCertGridTrustCA-Classic (chain incomplete) DigiCertGridTrustCAG2-Classic (chain incomplete) EG-GRID (chain incomplete) GermanGrid (chain incomplete) GridCanada (chain incomplete) HKU-CA-2 (chain incomplete) HKU (chain incomplete) HellasGrid-CA-2016 (chain incomplete) IGCA2 (chain incomplete) IHEP-2013 (chain incomplete) INFN-CA-2015 (chain incomplete) IRAN-GRID-GCG-G2 (chain incomplete) IRAN-GRID (chain incomplete) InCommon-IGTF-Server-CA (chain incomplete) KEK (chain incomplete) KENETCA-ICA-2015 (chain incomplete) KENETROOTCA (chain incomplete) KISTIv3 (chain incomplete) LIPCA (chain incomplete) MARGI (chain incomplete) MD-Grid (chain incomplete) MREN-CA (chain incomplete) MYIFAM (chain incomplete) MaGrid (chain incomplete) NIIF-Root-CA-2 (chain incomplete) NIKHEF (chain incomplete) NorduGrid-2015 (chain incomplete) PK-Grid-2007 (chain incomplete) PKIUNAMgrid (chain incomplete) PolishGrid (chain incomplete) QuoVadis-Grid-ICA-G2 (chain incomplete) QuoVadis-Grid-ICA (chain incomplete) QuoVadis-Root-CA1 (chain incomplete) QuoVadis-Root-CA2 (chain incomplete) QuoVadis-Root-CA2G3 (chain incomplete) QuoVadis-Root-CA3G3 (chain incomplete) RDIG (chain incomplete) REUNA-ca (chain incomplete) RomanianGRID (chain incomplete) SDG-G2 (chain incomplete) SRCE (chain incomplete) SiGNET-CA (chain incomplete) SlovakGrid (chain incomplete) TERENA-eScience-SSL-CA-3 (issuer cert missing) TRGrid (chain incomplete) TSU-GE (chain incomplete) UGRID-G2 (chain incomplete) UKeScienceCA-2B (chain incomplete) UKeScienceRoot-2007 (chain incomplete) UNAMgrid-ca (chain incomplete) UNLPGrid (chain incomplete) cilogon-osg (chain incomplete) seegrid-ca-2013 (chain incomplete)
                              OK: DigiCertAssuredIDRootCA-Root
 EV cert (experimental)       no
 Certificate Expiration       134 >= 60 days (UTC: 2018-03-27 02:00 --> 2019-04-26 14:00)
 # of certificates provided   2
 Certificate Revocation List  http://crl3.digicert.com/TERENAeScienceSSLCA3.crl
                              http://crl4.digicert.com/TERENAeScienceSSLCA3.crl
 OCSP URI                     http://ocsp.digicert.com
 OCSP stapling                --
 OCSP must staple             no
 DNS CAA RR (experimental)    --
 Certificate Transparency     yes (certificate extension)


 Done 2018-12-13 11:37:43 [0020s] -->> 193.144.35.73:443 (accounting.egi.eu) <<--
testssl.sh --quiet -S www.egi.eu:443

 Start 2018-12-13 11:40:30        -->> 147.251.9.178:443 (www.egi.eu) <<--

 further IP addresses:   2001:718:ff01:1::1:3
 rDNS (147.251.9.178):   www.egi.eu.
 Service detected:       HTTP


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "server name/#0" "renegotiation info/#65281" "EC point formats/#11" "status request/#5" "heartbeat/#15"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Fingerprint / Serial         SHA1 D7E7084A2F088BFCD4C08678132D5622898857BC / 07CDEAABF9BE40861A9B2D11B19109B1
                              SHA256 3EC01581B67EFF4DE39AF62A074786EAE527C188D96450949FB4F41F0EC17D7A
 Common Name (CN)             www.egi.eu
 subjectAltName (SAN)         www.egi.eu egi.eu
 Issuer                       TERENA SSL High Assurance CA 3 (TERENA from NL)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       yes
 Certificate Expiration       642 >= 60 days (UTC: 2018-09-11 02:00 --> 2020-09-15 14:00)
 # of certificates provided   2
 Certificate Revocation List  http://crl3.digicert.com/TERENASSLHighAssuranceCA3.crl
                              http://crl4.digicert.com/TERENASSLHighAssuranceCA3.crl
 OCSP URI                     http://ocsp.digicert.com
 OCSP stapling                offered
 OCSP must staple             no
 DNS CAA RR (experimental)    --
 Certificate Transparency     yes (certificate extension)


 Done 2018-12-13 11:40:52 [0025s] -->> 147.251.9.178:443 (www.egi.eu) <<--

It can be installed on Mac OS X using homebrew

brew install testssl

GitHub repository: https://github.com/drwetter/testssl.sh

1 Like
(Bruce Becker) #2

This looks awesome. I would like to see it in use in our CI/CD pipeline. If we’re developing Ansible roles or something to deploy services, it would be nice to run this against the test instance and fail the job based on the outcome.

Is there a machine-readable (JSON , xml) output or something?

Maybe we could add this to Ops Hacks :shushing_face: ?

(Baptiste Grenier) #3

Yes I was willing to add it to our OpsHack repo, but then thought it may also be interesting for a wider audience. And didn’t do both unfortunately.

file output options (can also be preset via environment variables)
     --log, --logging              logs stdout to <NODE>-p<port#><YYYYMMDD-HHMM>.log in current working directory (cwd)
     --logfile <logfile>           logs stdout to <dir/NODE>-p<port#><YYYYMMDD-HHMM>.log if <logfile> is a dir or to a specified <logfile>
     --json                        additional output of findings to flat JSON file <NODE>-p<port#><YYYYMMDD-HHMM>.json in cwd
     --jsonfile <jsonfile>         additional output to the specified flat JSON file or directory, similar to --logfile
     --json-pretty                 additional JSON structured output of findings to a file <NODE>-p<port#><YYYYMMDD-HHMM>.json in cwd
     --jsonfile-pretty <jsonfile>  additional JSON structured output to the specified file or directory, similar to --logfile
     --csv                         additional output of findings to CSV file <NODE>-p<port#><YYYYMMDD-HHMM>.csv in cwd or directory
     --csvfile <csvfile>           additional output as CSV to the specified file or directory, similar to --logfile
     --html                        additional output as HTML to file <NODE>-p<port#><YYYYMMDD-HHMM>.html
     --htmlfile <htmlfile>         additional output as HTML to the specifed file or directory, similar to --logfile
     --hints                       additional hints to findings
     --severity <severity>         severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
     --append                      if <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists rather append then overwrite. Omits any header
1 Like