There was parsing issue in HTTP Age header which looked on the first glance security relevant. Closer look revealed it's just a type confusion. But it's still recommended to update. Also this release includes a FAQ. More important details below.
What's Changed
Add README DeepWiki Link by @HarrisonTCodes
Modify grading for incomplete chain. by @secinto
Add sectigo CA E46 and R46 for Linux.pem by @drwetter
Improve error message for sockets fail and Alpine by @drwetter
Make code2network() faster by using bash instead of tr by @drwetter
Fix not working --disable-rating switch by @drwetter
feat: bump ssllabs rating guide to 2009r by @magnuslarsen
For Mac: use homebrew's openssl when necessary+needed by @drwetter
Fix displayed message when IPv6 needs to be tested too by @drwetter
FAQ for 3.2 by @drwetter in #2881
Fix garbled screen when HTTP Age is not a non-negative int (branch 3.2) by @drwetter
Fix indentation @ Intermediate cert validity (3.2) by @drwetter
Lucky13: improve phrasing for 3.2 by @drwetter
Bump version (3.2) by @drwetter in #2890
New Contributors
@HarrisonTCodes made their first contribution in #2801
@secinto made their first contribution in #2798
Full Changelog: v3.2.1...v3.2.2
New release for the stable branch 3.2
github.com/testssl/test...
18.09.2025 19:08
๐ 2
๐ 0
๐ฌ 0
๐ 0
On friday the (bugfixed) version 3.2.1 of testssl.sh was released
Get it from here: github.com/testssl/test...
๐
15.06.2025 08:20
๐ 0
๐ 1
๐ฌ 0
๐ 0
The last release of testssl.sh in the 3.0.10 branch was just created which includes several bugfixes.
Get it from here: github.com/testssl/test...
15.06.2025 08:17
๐ 0
๐ 1
๐ฌ 0
๐ 0
adges in the Readme @ github, including the Github runners for Ubuntu and MacOS
Branch 3.2 of testssl.sh has now also a github action running under MacOS which permits dealing with compatibility issue in the very beginning, i.e. when write a PR
And it has more badges now ;-) -- including the status of the Ubuntu and MacOS CI runner.
20.05.2025 16:11
๐ 1
๐ 1
๐ฌ 0
๐ 0
testssl.sh handshake simulation showing also Android 15 handshake with the hybrid PQ kx X25519MLKEM768
Now also an Android 15 handshake was added and tadaaa ... supporting also the hybrid #PQ #KEM/kx #X25519MLKEM768
(PR pending)
08.05.2025 15:41
๐ 1
๐ 0
๐ฌ 0
๐ 0
/bin/bash based SSL/TLS tester: testssl.sh
TLS/SSL security testing with Open Source Software
testssl.sh 3.2.0 is finally out, see github.com/testssl/test... or just testssl.sh .
Changelog see github.com/testssl/test...
23.04.2025 11:59
๐ 0
๐ 0
๐ฌ 0
๐ 0
testssl.sh :verified: @testssl
Some browsers and also #OpenSSL 3.5.0 support already #PQ #KEMs for key exchange to to provide secure key establishment resistance.
The (real soon now) to be released testssl.sh 3.2 final will include handshake simulation, see last column:
10.04.2025 19:31
๐ 2
๐ 2
๐ฌ 1
๐ 0
showing a row of the client simulation output
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_128_GCM_SHA256 X25519MLKEM768
testssl.sh (3.2rc4) has now a client simulation for #OpenSSL 3.5.0
09.04.2025 09:17
๐ 0
๐ 0
๐ฌ 0
๐ 0
OpenSSL 3.5.0 was released today with some #pqc algos and sever side quic support
08.04.2025 20:53
๐ 0
๐ 0
๐ฌ 1
๐ 0
13.03.2025 19:23
๐ 1
๐ 1
๐ฌ 0
๐ 1
The supplied #openssl binary (Linux 64Bit) for testssl.sh was updated + uploaded here: testssl.sh/openssl-1.0..... Repo with sources: github.com/testssl/open...
Testing before it'll be merged to github would be appreciated.
If you find issues please report them here: github.com/testssl/test...
29.01.2025 16:06
๐ 0
๐ 0
๐ฌ 0
๐ 0
testssl.sh now supports the #STARTTLS protocol #sieve
29.01.2025 15:58
๐ 0
๐ 1
๐ฌ 0
๐ 0
Version 3.2rc4 of testssl.sh is out!
It brings lots of fixes + improvements under the hood. The important new feature is support of some KEMs (key encapsulation mechanism), aka Post Quantum Hybrid Key Agreements - thanks to David.
Get it at github.com/testssl/test... or github.com/testssl/test...
24.01.2025 15:11
๐ 0
๐ 1
๐ฌ 0
๐ 0
crypto/x509: potentially anomalous path building results ยท Issue #65085 ยท golang/go
Go version go1.21.5 linux/amd64 Output of go env in your module/workspace: GO111MODULE='' GOARCH='amd64' GOBIN='' GOCACHE='/home/runner/.cache/go-build' GOENV='/home/runner/.config/go/env' GOEXE=''...
Another example of the externalized cost of fixed release Linux distributions: Debian Bullseye (oldstable, LTS until August 2026) ships a root store that's years out of date.
Besides being a security issue, it slows down the entire TLS ecosystem.
04.01.2025 00:47
๐ 98
๐ 15
๐ฌ 5
๐ 1
/bin/bash based SSL/TLS tester: testssl.sh
TLS/SSL security testing with Open Source Software
While testssl.sh does a lot of checks with bash sockets it still depends on openssl.
The supplied openssl in the git repo had a few issues . The new Linux 64 Bit binary needs your help testing:
testssl.sh/openssl-1.0....
Please file issues in the repo. "Works ok" incl. Linux distro is fine here
04.01.2025 19:34
๐ 0
๐ 1
๐ฌ 0
๐ 0
Also cool is, that Wireshark directly allows you to start an application with this environment variable set. So you can launch a browser from within Wireshark and directly decrypt and analyze the TLS traffic. ๐๐
24.12.2024 11:06
๐ 69
๐ 26
๐ฌ 2
๐ 3
TIL how easy it is to ask curl to dump TLS session keys to disk ๐ ๏ธ
Simply set the environment variable `SSLKEYLOGFILE=/path/to/file` ๐
Note: it also works for Firefox and Chrome
Extremely useful when combined with Wireshark ๐
20.12.2024 11:35
๐ 134
๐ 36
๐ฌ 6
๐ 0
Just looking for now.
There's a bridge to the fediverse though: bsky.app/profile/test...
18.11.2024 16:54
๐ 0
๐ 0
๐ฌ 0
๐ 0
