testssl.sh — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Comprehensive bash-based TLS audit — tests every cipher, every protocol, dozens of vulnerabilities. The "ground truth" of TLS scanning.

Use case: Network SecurityDifficulty: BeginnerHomepage: https://github.com/drwetter/testssl.sh

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Source (recommended for latest checks)

git clone --depth 1 https://github.com/drwetter/testssl.sh

Docker

docker run --rm drwetter/testssl.sh target.com

Linux (apt — older)

sudo apt install testssl.sh

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Default audit

./testssl.sh target.com

Specific protocol/cipher

./testssl.sh -p target.com

All vulnerabilities

./testssl.sh -U target.com

STARTTLS (e.g., SMTP)

./testssl.sh -t smtp mail.target.com:25

Output formats

./testssl.sh --html --json target.com

Quick scan (no vulnerabilities)

./testssl.sh --fast target.com

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Default scan: 1-3 min per host. Vulnerabilities scan adds another minute.
  • --fast skips vulnerability tests — useful for monitoring.
  • --parallel tests multiple hosts concurrently.
  • For batch scans, use --mode parallel --jsonfile-pretty output and parse with jq.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Bash-based — slower than SSLyze for single-host scans.
  • Some checks require specific OpenSSL versions — keep ./testssl.sh --version and OpenSSL fresh.
  • --ip required when DNS doesn’t resolve as expected (CDN, multi-A records).

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • SSLyze — Python, faster.
  • SSL Labs — web service, very thorough.

India context and engagement notes

For VAPT engagements: testssl.sh + SSLyze together gives auditor-defensible TLS findings. For continuous monitoring (e.g., DPDP-mode TLS posture), use SSLyze in CI; testssl.sh for deeper one-off audits.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants