What does HackerNews think of testssl.sh?

Testing TLS/SSL encryption anywhere on any port

Language: Shell

Team Kennedy needs some HTTPS help? | Mar 2023
As indigodaddy mentioned the cert is only signed for www and not the apex. [1]. The alternate name should be one or the other www vs apex. To run a test similar to Qualys one could clone testssl.sh [2] and run against a local development version of the site. requires bash and openssl

Some headers may be missing [3].

Follow the links from Qualys and SecurityHeaders to get more information on how to remediate the findings. It might also not hurt to open a ticket with Cloudflare to see what else is going on here if you have a paid account.

[1] - https://www.ssllabs.com/ssltest/analyze.html?d=www.teamkenne...

[2] - https://github.com/drwetter/testssl.sh

[3] - https://securityheaders.com/?q=https%3A%2F%2Fwww.teamkennedy...

What 2023 will bring for PeerTube | Feb 2023
Expand Context ↕
For which domain? joinpeertube.org or one of the video hosting nodes?

Use Qualys [1] to test the domain in question to link here or use the testssl.sh [2] code only depends on openssl and bash to test from your machine. If one of the many self hosted nodes, see if you can find a way to reach out to them and kindly suggest they set up certbot or a cron job to renew their certs.

Joinpeertube.org looks good to me [3] so I assume you find a self-hosted node that needs some attention.

If someone here knows of a way to query a list of all the self-hosted domains joined into peertube perhaps we could run testssl.sh against all of them to generate reports. I am not opposed to doing this if someone knows how I can get a list of all the domains using curl.

[1] - https://www.ssllabs.com/ssltest/

[2] - https://github.com/drwetter/testssl.sh

[3] - https://www.ssllabs.com/ssltest/analyze.html?d=joinpeertube....
UK gov website certificate issue | Dec 2022
Qualys does not appear to have an issue [1]. Testssh.sh [2] complains that they offer DES/IDEA and may also be vulnerable to CVE-2013-3587 but otherwise also gives them an A+.

Have you tried multiple browsers and is your OS CA store up to date?

[1] - https://www.ssllabs.com/ssltest/analyze.html?d=www.gov.uk

[2] - https://github.com/drwetter/testssl.sh

Paypal.com is using revoked certificate | Oct 2022
It appears they have blocked or rate limited qualys for scanning them too much, but testssl [1] still works. I am not worried about being blocked since I just closed my account from 2001.

The only serious warning I see is "Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (6 attempts)" They otherwise get an "A+".

Perhaps they have wan accelerators or anycast proxies with bad certs that are region specific?

[1] - https://github.com/drwetter/testssl.sh [depends on bash and openssl]

DHEat Attack | Oct 2022
If it's useful, here [1] is a tool for auditing the SSH config of a server from the internet and suggesting hardening options for both server and client. And here [2] is a tool for configuring TLS on various web servers, load balancers, mail servers and databases. One could also clone testssl.sh [3] to audit their TLS daemons on IP's not open to the internet. Depends on openssl and bash

If hardening SSH it may be safest to first harden the SSH client and ensure one can still connect. Then harden the ssh daemon of a local machine using the same version of openssh used on ones servers to minimize the risk of locking one out of their own machine and having to use a rescue console or ILO. This may be counter-intuitive but going through the hardening process significantly speeds up SSH handshake time which may be most useful to those using Ansible.

[1] - https://www.ssh-audit.com/

[2] - https://ssl-config.mozilla.org/

[3] - https://github.com/drwetter/testssl.sh

Badssl.com (2017) | Sep 2022
Expand Context ↕
Qualys [1][2] For testing SSL of publicly accessible sites. TestSSL.sh [3] for testing SSL of any site including private endpoints you can reach from your machine Only requires openssl and bash. SecurityHeaders [4] for testing what headers are missing from a website. URLScan [5] for diagnosing a websites behavior. bgp.he.net [6] for looking up information about an IP/AS Number/domain. Robtex [7] also for looking up information about IP/AS/domain as well as org mapping. WhatIsMyDNS [8] for checking DNS propagation re-run this 3 times as their probe timeouts are way too low. Old-school VirusTotal [9] for old browsers for scanning malware. WhoisDS [10] targeting newly registered domains. Mozilla TLS configuration tool [11] for setting up proper TLS/HTTPS configuration on Nginx, Apache, HAproxy, etc... Certificate Search [12] for cert transparency logs, certificate fingerprints and more. Thousand Eyes [13] free dashboard on a commercial site. DownDetector [14] for uptime of popular sites and services. EDNS Validator [15] for verification of your DNS EDNS support. Shodan [16] for looking up detected vulnerabilities of an IP. W3C Validator [17] for testing HTML/CSS.

[1] - https://www.ssllabs.com/ssltest/

[2] - https://dev.ssllabs.com/ssltest/

[3] - https://github.com/drwetter/testssl.sh

[4] - https://securityheaders.com/

[5] - https://urlscan.io/

[6] - https://bgp.he.net/

[7] - https://www.robtex.com/

[8] - https://www.whatsmydns.net/

[9] - https://www.virustotal.com/old-browsers/

[10] - https://www.whoisds.com/

[11] - https://ssl-config.mozilla.org/

[12] - https://crt.sh/

[13] - https://www.thousandeyes.com/outages/ [commercial site but priceless in my opinion]

[14] - https://downdetector.com/

[15] - https://ednscomp.isc.org/ednscomp?zone=ycombinator.com

[16] - https://www.shodan.io/

[17] - https://validator.w3.org/
Uacme: ACMEv2 client written in plain C with minimal dependencies | Aug 2022
Expand Context ↕
If you like minimal dependencies another one to take a peek at may be acme.sh [1]. It depends on bash, openssl and curl. It seems to work fine in ash as well. It has code to handle most API's and most importantly to me is the great documentation.

In the same spirit of minimal and light weight there is also testssh.sh [2] for testing TLS on HTTPS/SMTPS servers that also depends on bash and openssl.

[1] - https://github.com/acmesh-official/acme.sh

[2] - https://github.com/drwetter/testssl.sh
GoDaddy Cert and Chrome Update = Net:Err_certificate_transparency_required | May 2022
Out of curiosity, do you get any errors in Qualys [1] or TestSSL [2]? Use the checkbox to hide your domain from results on the Qualys site. Testssl is just bash+openssl that runs from your machine.

[1] - https://www.ssllabs.com/ssltest/

[2] - https://github.com/drwetter/testssl.sh.git

Implementing TLS Encrypted Client Hello [Nov 2021] | Dec 2021
I am looking forward to this being supported officially in the mentioned daemons. The authors should also work with Qualys [1a][1b] development site and open source developers [2] that test TLS configurations to add additional tests early on.

[1a] - https://www.ssllabs.com/ssltest/

[1b] - https://dev.ssllabs.com/ssltest/

[2] - https://github.com/drwetter/testssl.sh.git

Ask HN: Why is the server waiting 10s to send TLS ServerHello? | Jun 2021
Is DNS resolution enabled on the server? If so, do the clients all have reverse DNS? Are all of your DNS servers working? Have you enabled debug logging for a period of time? Is there a common pattern of the source IP's that have the delay? For what it's worth, you will get a bigger audience of windows server engineers on serverfault. [1] You could also point testssh.sh to your server to see if it finds anything odd. [2]

[1] - https://serverfault.com/

[2] - https://github.com/drwetter/testssl.sh

United States wants HTTPS for all government sites, all the time | Jun 2020
Expand Context ↕
I don't believe they are making encryption illegal. Rather, they would likely require any org doing TLS for them to provide lawful intercept, logging, audit and compliance. If a government org is managing their own network stack, then requiring TLS would be a non issue as they can provide their audit orgs with all the data they want, as they likely do today. From all the bills I have read, there is nothing that makes encryption illegal. They want the ability to access data from the servers after it has been decrypted. This includes a way to intercept what users perceive to be end-to-end encryption.

The only problem I have run into with various government orgs is the lack of knowledge around implementing intermediate certificates. They will often try to talk people into installing their certs rather than installing intermediate certs correctly. I always point them to testssl.sh [1]

[1] - https://github.com/drwetter/testssl.sh
Firefox 70 | Oct 2019
Expand Context ↕
It does have it's own cert store. You can test your sites with testssl.sh [1] to see if they validate correctly. It only depends on openssl and bash. If you have your own self signed CA/certs, then you would have to import them into FF.

[1] - https://github.com/drwetter/testssl.sh
SSLlabs alternative open source to self host? | Apr 2019
https://github.com/mozilla/tls-observatory

https://github.com/drwetter/testssl.sh

Show HN: My shell script for HTTP/HTTPS troubleshooting and profiling | Mar 2019
Expand Context ↕
For that, look to testssl.sh (https://github.com/drwetter/testssl.sh)
Show HN: My shell script for HTTP/HTTPS troubleshooting and profiling | Mar 2019
Here is a similar tool all contained in one shell script that only depends on openssl. [1] Albeit, a bit more verbose and doesn't have that nice one page output.

[1] - https://github.com/drwetter/testssl.sh

Taking control of all .io domains with a targeted registration | Jul 2017
Expand Context ↕
If you control the root DNS servers for .io, you can simply not answer the DNSSEC queries. Many resolvers will fail open.

HSTS requires the site is HTTPS with a valid cert. If you own all .io, you can use LetsEncrypt to get that for free. They now even support Wildcard Certs! :-) That said, you would have to choose your targets carefully and/or load balance your requests to LetsEncrypt. There is a rate limit. There are browser plugins that can tell you if a cert just changed, assuming you have been to that site prior.

Then there is Public Key Pinning. This would be great, but I suspect the number of big companies implementing this are low. I don't have numbers, but you can test your favorite sites in Qualys[1] or using testssl.sh[2] that only depends on openssl and bash.

You could proxy all requests to the real root servers for .io and only become authoritative for the ones you wish to target.

Given the small number of zones, I think a modest server could keep up, or you could balance the load on a bunch of VM's. It may take a while for anyone to notice. I am curious actually, how many fellow geeks have nagios/sensu alerts that would tell them if the root server IP's changed.

All of this said, there are BGP attacks you can do that accomplish the same thing for any TLD and the IP's wouldn't even have to change. Only more advanced monitoring tools that keep an eye on route path might notice, but probably would not alert anyone.

[1] https://www.ssllabs.com/ssltest/index.html [2] https://github.com/drwetter/testssl.sh
Securityheaders.io – Analyse your HTTP response headers | Feb 2016
Expand Context ↕
Last I checked, Qualys only scanned port 443. I like testssl.sh - you can point it at arbitrary ports:

https://testssl.sh/ https://github.com/drwetter/testssl.sh
Comparison of SSL Labs TLS Scores with Different Go Versions | Feb 2016
In addition to SSL Labs, I also find this useful for things that are not exposed to the internet. (firewalled)

[1] https://github.com/drwetter/testssl.sh

It only depends on OpenSSL and bash. I find it very useful for reviewing our systems before they go live.