Comprehensive bash-based TLS audit — tests every cipher, every protocol, dozens of vulnerabilities. The "ground truth" of TLS scanning.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Source (recommended for latest checks)
git clone --depth 1 https://github.com/drwetter/testssl.sh
Docker
docker run --rm drwetter/testssl.sh target.com
Linux (apt — older)
sudo apt install testssl.sh
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Default audit
./testssl.sh target.com
Specific protocol/cipher
./testssl.sh -p target.com
All vulnerabilities
./testssl.sh -U target.com
STARTTLS (e.g., SMTP)
./testssl.sh -t smtp mail.target.com:25
Output formats
./testssl.sh --html --json target.com
Quick scan (no vulnerabilities)
./testssl.sh --fast target.com
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Default scan: 1-3 min per host. Vulnerabilities scan adds another minute.
--fastskips vulnerability tests — useful for monitoring.--paralleltests multiple hosts concurrently.- For batch scans, use
--mode parallel --jsonfile-prettyoutput and parse with jq.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Bash-based — slower than SSLyze for single-host scans.
- Some checks require specific OpenSSL versions — keep
./testssl.sh --versionand OpenSSL fresh. --iprequired when DNS doesn’t resolve as expected (CDN, multi-A records).
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- SSLyze — Python, faster.
- SSL Labs — web service, very thorough.
India context and engagement notes
For VAPT engagements: testssl.sh + SSLyze together gives auditor-defensible TLS findings. For continuous monitoring (e.g., DPDP-mode TLS posture), use SSLyze in CI; testssl.sh for deeper one-off audits.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.