whatisgithub

What is testssl.sh?

testssl/testssl.sh — explained in plain English

Analysis updated 2026-06-24

9,033ShellAudience · ops devopsComplexity · 1/5LicenseSetup · easy

In one sentence

testssl.sh is a Bash script that checks any server's TLS and SSL configuration, supported protocol versions, cipher suites, and known security weaknesses, with no installation or dependencies beyond standard Unix tools.

Mindmap

mindmap
  root((testssl.sh))
    What it does
      Checks TLS config
      Finds weak ciphers
      Color-coded output
    Scope
      Any port any service
      Web mail custom TCP
    Output Formats
      JSON CSV HTML
      Plain terminal text
    Use Cases
      Web server audit
      Mail server check
      CI pipeline scanning
    Requirements
      Bash only
      No install needed
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Audit your web server's HTTPS configuration from the command line to find outdated protocol versions or weak cipher suites

USE CASE 2

Check TLS on a mail server's SMTP or IMAP port, not just port 443, to catch security gaps in non-web services

USE CASE 3

Export results as JSON or CSV and feed them into an automated CI pipeline to catch TLS regressions before deployment

USE CASE 4

Run a one-off TLS health check on any hostname and port with no installation step, package manager, or root access needed

What is it built with?

ShellBashOpenSSL

How does it compare?

testssl/testssl.shguarinogabriel/mac-clikylemanna/docker-openvpn
Stars9,0339,0769,078
LanguageShellShellShell
Setup difficultyeasyeasymoderate
Complexity1/51/53/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min
Free to use and share, but any modified version you distribute must also be released under the same GPLv2 license.

So what is it?

testssl.sh is a command-line script that checks the TLS and SSL configuration of any server on any port. You point it at a hostname and port number, and it reports which protocol versions are supported, which cipher suites are available, and whether any known cryptographic weaknesses are present. The output is color-coded so you can see at a glance what is acceptable and what should be addressed. The script requires only Bash and standard Unix tools like sed and awk. There is nothing to install or compile, and no package manager dependencies. It works on Linux, macOS, FreeBSD, and Windows via WSL2 or Cygwin. A Docker image is also available. Any version of OpenSSL or LibreSSL will work, the script no longer depends on specific OpenSSL capabilities for most of its checks. A notable characteristic is that it is not limited to web servers on port 443. It can check any service that uses TLS, including mail servers running SMTP, IMAP, or POP3, database ports, and custom TCP services. This makes it useful for auditing infrastructure beyond typical HTTPS endpoints. Output can be saved in several formats: plain terminal text, CSV, two different JSON variants, and HTML. The machine-readable formats make it practical to feed testssl.sh output into automated scanning pipelines or continuous integration checks. The project runs under the GPLv2 license. The README notes that if you offer a public or paid scanning service built on testssl.sh, you are strongly encouraged to attribute the tool to maintain awareness and support for the project. Development currently happens in a branch called 3.3dev, which is the path toward a future stable release. The current stable version is 3.2.

Copy-paste prompts

Prompt 1
Run testssl.sh against my server at example.com port 443 and explain what each color-coded finding in the output means for my site's security.
Prompt 2
Show me how to use testssl.sh to check my mail server's SMTP TLS on port 587 and interpret the cipher suite results it reports.
Prompt 3
Help me write a CI job that runs testssl.sh against my server and fails the build if any critical TLS vulnerabilities are detected, outputting results as JSON.
Prompt 4
I need to scan 20 servers with testssl.sh and save a separate report for each one, show me a shell script that loops over hostnames and saves per-host HTML reports.

Frequently asked questions

What is testssl.sh?

testssl.sh is a Bash script that checks any server's TLS and SSL configuration, supported protocol versions, cipher suites, and known security weaknesses, with no installation or dependencies beyond standard Unix tools.

What language is testssl.sh written in?

Mainly Shell. The stack also includes Shell, Bash, OpenSSL.

What license does testssl.sh use?

Free to use and share, but any modified version you distribute must also be released under the same GPLv2 license.

How hard is testssl.sh to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is testssl.sh for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.