1SSLSCAN(1) General Commands Manual SSLSCAN(1)
2
6 sslscan - Fast SSL/TLS scanner
7
9 sslscan [options] [host:port | host]
10
12 sslscan queries SSL/TLS services (such as HTTPS) and reports the proto‐
13 col versions, cipher suites, key exchanges, signature algorithms, and
14 certificates in use. This helps the user understand which parameters
15 are weak from a security standpoint.
16 Terminal output is thus colour-coded as follows:
18 Red Background NULL cipher (no encryption)
20 Red Broken cipher (<= 40 bit), broken protocol (SSLv2 or
21 SSLv3) or broken certificate signing algorithm (MD5)
22 Yellow Weak cipher (<= 56 bit or RC4) or weak certificate
23 signing algorithm (SHA-1)
24 Purple Anonymous cipher (ADH or AECDH)
25 sslscan can also output results into an XML file for easy consumption
27 by external programs.
28
31 --help
32 Show summary of options
33 --targets=<file>
35 A file containing a list of hosts to check. Hosts can be sup‐
36 plied with ports (i.e. host:port). One target per line
37 --sni-name=<name>
39 Use a different hostname for SNI
40 --ipv4, -4
42 Force IPv4 DNS resolution. Default is to try IPv4, and if that
43 fails then fall back to IPv6.
44 --ipv6, -6
46 Force IPv6 DNS resolution. Default is to try IPv4, and if that
47 fails then fall back to IPv6.
48 --show-certificate
50 Display certificate information.
51 --no-check-certificate
53 Don't flag certificates signed with weak algorithms (MD5 and
54 SHA-1) or short (<2048 bit) RSA keys
55 --show-client-cas
57 Show a list of CAs that the server allows for client authentica‐
58 tion. Will be blank for IIS/Schannel servers.
59 --show-ciphers
61 Show a complete list of ciphers supported by sslscan
62 --show-cipher-ids
64 Print the hexadecimal cipher IDs
65 --show-times
67 Show the time taken for each handshake in milliseconds. Note
68 that only a single request is made with each cipher, and that
69 the size of the ClientHello is not constant, so this should not
70 be used for proper benchmarking or performance testing.
71 You might want to also use --no-cipher-details to make the out‐
73 put a bit clearer.
74 --ssl2
76 Only check if SSLv2 is enabled
77 --ssl3
79 Only check if SSLv3 is enabled
80 --tls10
82 Only check TLS 1.0 ciphers
83 --tls11
85 Only check TLS 1.1 ciphers
86 --tls12
88 Only check TLS 1.2 ciphers
89 --tls13
91 Only check TLS 1.3 ciphers
92 --tlsall
94 Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3)
95 --ocsp
97 Display OCSP status
98 --pk=<file>
100 A file containing the private key or a PKCS#12 file containing a
101 private key/certificate pair (as produced by MSIE and Netscape)
102 --pkpass=<password>
104 The password for the private key or PKCS#12 file
105 --certs=<file>
107 A file containing PEM/ASN1 formatted client certificates
108 --no-ciphersuites
110 Do not scan for supported ciphersuites.
111 --no-fallback
113 Do not check for TLS Fallback Signaling Cipher Suite Value
114 (fallback)
115 --no-renegotiation
117 Do not check for secure TLS renegotiation
118 --no-compression
120 Do not check for TLS compression (CRIME)
121 --no-heartbleed
123 Do not check for OpenSSL Heartbleed (CVE-2014-0160)
124 --no-groups
126 Do not enumerate key exchange groups
127 --no-sigs
129 Do not enumerate signature algorithms
130 --starttls-ftp
132 STARTTLS setup for FTP
133 --starttls-imap
135 STARTTLS setup for IMAP
136 --starttls-irc
138 STARTTLS setup for IRC
139 --starttls-ldap
141 STARTTLS setup for LDAP
142 --starttls-pop3
144 STARTTLS setup for POP3
145 --starttls-smtp
147 STARTTLS setup for SMTP
148 --starttls-mysql
150 STARTTLS setup for MySQL
151 --starttls-xmpp
153 STARTTLS setup for XMPP
154 --starttls-psql
156 STARTTLS setup for PostgreSQL
157 --xmpp-server
159 Perform a server-to-server XMPP connection. Try this if --start‐
160 tls-xmpp is failing.
161 --rdp
163 Send RDP preamble before starting scan.
164 --bugs
166 Enables workarounds for SSL bugs
167 --timeout=<sec>
169 Set socket timeout. Useful for hosts that fail to respond to
170 ciphers they don't understand. Default is 3s.
171 --sleep=<msec>
173 Pause between connections. Useful on STARTTLS SMTP services, or
174 anything else that's performing rate limiting. Default is dis‐
175 abled.
176 --xml=<file>
178 Output results to an XML file. - can be used to mean stdout.
179 --version
181 Show version of program
182 --verbose
184 Display verbose output
185 --no-cipher-details
187 Hide NIST EC curve name and EDH/RSA key length.
188 --no-colour
190 Disable coloured output.
191
193 Scan a local HTTPS server
194 sslscan localhost
195 sslscan 127.0.0.1
196 sslscan 127.0.0.1:443
197 sslscan [::1]
198 sslscan [::1]:443
199
201 sslscan was originally written by Ian Ventura-Whiting <fizz@tita‐
202 nia.co.uk>.
203 sslscan was extended by Jacob Appelbaum <jacob@appelbaum.net>.
204 sslscan was extended by rbsec <robin@rbsec.net>.
205 This manual page was originally written by Marvin Stark <marv@der-
206 marv.de>.
207 March 19, 2020 SSLSCAN(1)