TLS/SSL Check and Rating for internal servers: testssl.sh
Daniel Nashed – 16 February 2026 10:36:37
Most admins use an external site to get ratings for their HTTPS servers.But what if you are in a corporate network with no external internet access?
The testssl.sh script available on GitHub https://github.com/testssl/testssl.sh or in some Linux distribution provides even more details and checks.
You can just clone and run it or launch it in a container.
To get the latest version including an up to date OpenSSL version you can run it in a container.
Kali Linux provides very new OpenSSL and other important libs.
You can just run a container and install the latest version of testssl.sh like this:
docker run --rm -it kalilinux/kali-rolling bash
apt update
apt install openssl testssl.sh
Then run for example (in our case a Domino server behind NGINX):
testssl linus.lab.dnug.eu
The result provides a lot of details I am skipping here.
But the first detail to note is the OpenSSL version found in the container which is used by the bash script.
Meanwhile the bash script is far more than a simple script and very useful!
The tool provides a lot of details, which I skip for this blog post.
Information about OpenSSL
Using OpenSSL 3.5.4 (Jan 16 2026) [~103 ciphers]
TLS Version
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 http/1.1 (offered)
The "Rating (experimental)" section is probably the summary part you want to look into first
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 100 (30)
Cipher Strength (weighted) 90 (36)
Final Score 96
Overall Grade A+
- Comments [0]