testssl.sh :verified:
LightNews LightNews
testssl.infosec.exchange.ap.brid.gy
testssl.sh :verified:
@testssl.infosec.exchange.ap.brid.gy
3 followers 0 following 44 posts
Fled from the birdsite to a separate account.

Toots mostly in EN about testssl.sh and related stuff.

[bridged from https://infosec.exchange/@testssl on the fediverse by https://fed.brid.gy/ ]
Posts Replies Media Videos
testssl.infosec.exchange.ap.brid.gy
testssl.sh 3.3dev now has (finally) early data support a.k.a 0-RTT .
October 9, 2025 at 6:38 PM
testssl.infosec.exchange.ap.brid.gy
@bagder

Just the command line for testing the next incarnation of my server (IPs aren't final, thus masked here)

Much appreciated, thanks!
October 1, 2025 at 1:47 PM
testssl.infosec.exchange.ap.brid.gy
Willing to help? See https://github.com/testssl/testssl.sh/issues/2908

I am curious whether Apple finally made a step toward #pqc to catch up with all other major browser vendors with the release of version 26 of their operating systems. They lag behind since months:

#tls
Handshake simulation of testssl.sh which shows that all major browsers have sent a so called hybrid KEM (X25519MLKEM768) during the TLS ClientHello
October 1, 2025 at 1:34 PM
testssl.infosec.exchange.ap.brid.gy
New release for the stable version.
Some changes in branch 3.2. There was parsing issue in HTTP Age header which looked on the first glance security relevant. Closer look revealed it's just a type confusion. But it's still recommended to update. Also this release includes a FAQ. More important details below. What's Changed Add README DeepWiki Link by @HarrisonTCodes Modify grading for incomplete chain. by @secinto Add sectigo CA E46 and R46 for Linux.pem by @drwetter Improve error message for sockets fail and Alpine by @drwetter Make code2network() faster by using bash instead of tr by @drwetter Fix not working --disable-rating switch by @drwetter feat: bump ssllabs rating guide to 2009r by @magnuslarsen For Mac: use homebrew's openssl when necessary+needed by @drwetter Fix displayed message when IPv6 needs to be tested too by @drwetter FAQ for 3.2 by @drwetter in #2881 Fix garbled screen when HTTP Age is not a non-negative int (branch 3.2) by @drwetter Fix indentation @ Intermediate cert validity (3.2) by @drwetter Lucky13: improve phrasing for 3.2 by @drwetter Bump version (3.2) by @drwetter in #2890 New Contributors @HarrisonTCodes made their first contribution in #2801 @secinto made their first contribution in #2798 Full Changelog: v3.2.1...v3.2.2
September 18, 2025 at 7:04 PM
testssl.infosec.exchange.ap.brid.gy
testssl.sh 3.3dev got a bit snappier, most notably for Macs:

#tls #ssl #pentesting
Pic shows a protocol scan of testssl.net taking 8 seconds Pic shows a protocol scan of testssl.net taking 13 seconds
July 31, 2025 at 7:20 AM
testssl.infosec.exchange.ap.brid.gy
#ipv6 PR incoming to automagically check also IPv6:

https://github.com/testssl/testssl.sh/pull/2852
July 19, 2025 at 2:37 PM
testssl.infosec.exchange.ap.brid.gy
PR for #opossum vulnerability pending in testssl.sh 3.3dev:

https://github.com/testssl/testssl.sh/pull/2838

@hanno
Picture show vulnerability scans for opossum , one just a single scan with --opossum, one with -U
July 11, 2025 at 11:34 AM
testssl.infosec.exchange.ap.brid.gy
First draft for #quic test is there as a PR for 3.3dev
Pic shows a scan where a QUIC row appears below TLS 1.3 This shows a pic in which QUIC seems not supported by OpenSSL
July 3, 2025 at 1:10 PM
testssl.infosec.exchange.ap.brid.gy
The last release of testssl.sh in the 3.0.10 branch was made which includes several bugfixes.

Get it from here: https://github.com/testssl/testssl.sh/releases/tag/v3.0.10
June 15, 2025 at 8:16 AM
testssl.infosec.exchange.ap.brid.gy
I have some questions...
May 26, 2025 at 8:41 PM
testssl.infosec.exchange.ap.brid.gy
Branch 3.2 has now also a github action running under MacOS which permits dealing with compatibility issue in the very beginning, i.e. when write a PR

And it has more badges now ;-) -- including the status of the Ubuntu and MacOS CI runner.
Badges in the Readme @ github, including the Github runners for Ubuntu and MacOS
May 20, 2025 at 4:10 PM
testssl.infosec.exchange.ap.brid.gy
Can someone assist writing a unit test for #github using a MacOS runner?

https://github.com/testssl/testssl.sh/issues/2308#issuecomment-2862482574

RTs welcome
Looks like the MacOS 14 runner is free: https://github.com/orgs/community/discussions/102846 for public repos. Can somebody test a github runner for this repo? Currently our Ubuntu runner with perl is here: https://github.com/testssl/testssl.sh/blob/3.2/.github/workflows/unit_tests.yml . Just one check with testssl.sh would suffice. It doesn't have to be perl. Anything which works is fine.
May 8, 2025 at 11:30 AM
testssl.infosec.exchange.ap.brid.gy
Here is a scan from testssl.net (which is at cloudflare and proxies testssl.sh) -- watch out for the #mlkem(s)

#pqc
April 25, 2025 at 7:23 PM
testssl.infosec.exchange.ap.brid.gy
Some browsers and also #openssl 3.5.0 support already #pq #kems for key exchange to to provide secure key establishment resistance.

The (real soon now) to be released testssl.sh 3.2 final will include handshake simulation, see last column:
April 10, 2025 at 8:14 AM
testssl.infosec.exchange.ap.brid.gy
testssl.sh (3.2rc4) has now a client simulation for #openssl 3.5.0:
showing a row of the client simulation output OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_128_GCM_SHA256 X25519MLKEM768
April 9, 2025 at 8:58 AM
testssl.infosec.exchange.ap.brid.gy
#openssl 3.5.0 LTS release with some #pqc algorithms, server side #quic support and more
April 8, 2025 at 9:14 PM
testssl.infosec.exchange.ap.brid.gy
One of Google's intermediate CAs expired on March 9, fortunately this seems for chromecast devices only:

https://www.reddit.com/r/Chromecast/comments/1j7lhrs/the_chromecast_2s_device_authentication/
March 12, 2025 at 8:49 AM
testssl.infosec.exchange.ap.brid.gy
#redhat does their own CA thing for subscribed RHEL-machines (but see also CAA RR
February 4, 2025 at 2:29 PM
testssl.infosec.exchange.ap.brid.gy
Testssl.sh just got a small new feature: when a server in the STARTTLS handshake signaling, you're too fast, it ĺl quit correctly .

You basically can correct that using "STARTTLS_SLEEP=1 ./testssl.sh <target>"
Displays a testssl.sh run against a mail server complaining with STARTTLS error msg
January 31, 2025 at 11:32 AM
testssl.infosec.exchange.ap.brid.gy
Version 3.2rc4 of testssl.sh is out!

It brings lots of fixes and improvements under the hood. The important new feature is the support of some KEMs (key encapsulation mechanism) , aka Post Quantum Hybrid Key Agreements -- thanks to David.

Get it at […]

[Original post on infosec.exchange]
January 24, 2025 at 3:27 PM