sslscan

Test a server on port 443

$ sslscan [example.com]

$ sslscan [example.com]:[465]

$ testssl --show-certificate [example.com]

sslscan [options] <host[:port]>

<host[:port]>
    The target hostname or IP address, optionally followed by a port number (default is 443).

--no-color
    Disables colored output for plain text reports.

--no-compression
    Disables tests for SSL/TLS compression, often related to the CRIME attack.

--no-renegotiation
    Disables tests for secure and insecure renegotiation capabilities.

--no-heartbleed
    Skips the test for the Heartbleed vulnerability.

--no-sslv2, --no-sslv3, --no-tlsv1_0, etc.
    Disable specific SSL/TLS protocol version tests.

--show-certificate
    Displays detailed information about the server's X.509 certificate.

--targets <file>
    Reads a list of target hosts/ports from the specified file, one per line.

--xml
    Outputs the scan results in XML format to standard output.

--report <file>
    Writes the scan results to the specified file in XML format.

--timeout <seconds>
    Sets the connection timeout for network operations in seconds.

--starttls <protocol>
    Tests STARTTLS on a specific protocol (e.g., smtp, ftp, imap, pop3, ldap, rdp, xmpp).

--sni-name <name>
    Specifies the Server Name Indication (SNI) hostname to use during the TLS handshake.

sslscan is a command-line tool designed to query SSL/TLS services, such as web servers, mail servers, or any other service using SSL/TLS, to determine the protocols and cipher suites they support.
It can detect various security vulnerabilities and misconfigurations, including:
Supported SSL/TLS versions (SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3).
Weak and strong cipher suites.
Compression methods (e.g., CRIME attack detection).
Renegotiation capabilities.
Heartbleed vulnerability.
POODLE, FREAK, DROWN, LOGJAM, etc., through cipher and protocol analysis.
Certificate details (issuer, subject, expiry, serial, key size).
OCSP stapling.
HSTS (HTTP Strict Transport Security) headers.
DNS CAA records.
Elliptic curves.
Session tickets.
It's widely used by penetration testers, security professionals, and system administrators to assess the security posture of SSL/TLS implementations. It provides a comprehensive report, highlighting potential weaknesses that need remediation. The tool aims to be as non-intrusive as possible while still providing a thorough audit.

sslscan performs active network scans, which may be detected by Intrusion Detection/Prevention Systems (IDS/IPS).
The scan provides a snapshot in time; server configurations and vulnerabilities can change rapidly.
Always ensure you have explicit permission to scan target systems to comply with legal and ethical guidelines.

A key feature of sslscan is its ability to output results in XML format using the --xml or --report options. This facilitates easy integration with other tools, automated parsing, and generation of custom reports, making it highly valuable for continuous security assessment pipelines.

Beyond typical HTTPS services, sslscan offers support for testing services that implement STARTTLS via the --starttls option. This allows for the assessment of TLS configurations for protocols like SMTP, FTP, IMAP, POP3, LDAP, RDP, and XMPP, which often upgrade an initial unencrypted connection to TLS.

sslscan was originally developed by Ian Gallagher as a fast and reliable command-line tool for identifying SSL/TLS weaknesses. It has since been maintained and improved by various contributors, becoming a staple in penetration testing distributions like Kali Linux due to its comprehensive and efficient auditing capabilities.

nmap(1), openssl(1), testssl.sh(1), sslyze(1)