1SSLSCAN(1) General Commands Manual SSLSCAN(1)
2
6 sslscan - Fast SSL/TLS scanner
7
9 sslscan [options] [host:port | host]
10
12 This manual page documents briefly the sslscan command
13 sslscan queries SSL/TLS services, such as HTTPS, in order to determine
15 the ciphers that are supported.
16 SSLScan is designed to be easy, lean and fast. The output includes pre‐
18 ferred ciphers of the SSL/TLS service, and text and XML output formats
19 are supported. It is TLS SNI aware when used with a supported version
20 of OpenSSL.
21 Output is colour coded to indicate security issues. Colours are as fol‐
23 lows:
24 Red Background NULL cipher (no encryption)
26 Red Broken cipher (<= 40 bit), broken protocol (SSLv2 or
27 SSLv3) or broken certificate signing algorithm (MD5)
28 Yellow Weak cipher (<= 56 bit or RC4) or weak certificate
29 signing algorithm (SHA-1)
30 Purple Anonymous cipher (ADH or AECDH)
31
33 --help
34 Show summary of options
35 --version
37 Show version of program
38 --targets=<file>
40 A file containing a list of hosts to check. Hosts can be sup‐
41 plied with ports (i.e. host:port). One target per line
42 --sni-name=<name>
44 Use a different hostname for SNI
45 --ipv4, -4
47 Force IPv4 DNS resolution. Default is to try IPv4, and if that
48 fails then fall back to IPv6.
49 --ipv6, -6
51 Force IPv6 DNS resolution. Default is to try IPv4, and if that
52 fails then fall back to IPv6.
53 --show-certificate
55 Display certificate information.
56 --no-check-certificate
58 Don't flag certificates signed with weak algorithms (MD5 and
59 SHA-1) or short (<2048 bit) RSA keys
60 --show-client-cas
62 Show a list of CAs that the server allows for client authentica‐
63 tion. Will be blank for IIS/Schannel servers.
64 --show-ciphers
66 Show a complete list of ciphers supported by sslscan
67 --show-cipher-ids
69 Print the hexadecimal cipher IDs
70 --show-times
72 Show the time taken for each handshake in milliseconds. Note
73 that only a single request is made with each cipher, and that
74 the size of the ClientHello is not constant, so this should not
75 be used for proper benchmarking or performance testing.
76 You might want to also use --no-cipher-details to make the out‐
78 put a bit clearer.
79 --ssl2
81 Only check SSLv2 ciphers
82 Note that this option may not be available if system OpenSSL
83 does not support SSLv2. Either build OpenSSL statically or
84 rebuild your system OpenSSL with SSLv2 support. See the readme
85 for further details.
86 --ssl3
88 Only check SSLv3 ciphers
89 Note that this option may not be available if system OpenSSL
90 does not support SSLv3. Either build OpenSSL statically or
91 rebuild your system OpenSSL with SSLv3 support. See the readme
92 for further details.
93 --tls10
95 Only check TLS 1.0 ciphers
96 --tls11
98 Only check TLS 1.1 ciphers
99 --tls12
101 Only check TLS 1.2 ciphers
102 --tlsall
104 Only check TLS ciphers (versions 1.0, 1.1 and 1.2)
105 --ocsp
107 Display OCSP status
108 --pk=<file>
110 A file containing the private key or a PKCS#12 file containing a
111 private key/certificate pair (as produced by MSIE and Netscape)
112 --pkpass=<password>
114 The password for the private key or PKCS#12 file
115 --certs=<file>
117 A file containing PEM/ASN1 formatted client certificates
118 --no-ciphersuites
120 Do not scan for supported ciphersuites.
121 --no-renegotiation
123 Do not check for secure TLS renegotiation
124 --no-fallback
126 Do not check for TLS Fallback Signaling Cipher Suite Value
127 (fallback)
128 --no-compression
130 Do not check for TLS compression (CRIME)
131 --no-heartbleed
133 Do not check for OpenSSL Heartbleed (CVE-2014-0160)
134 --starttls-ftp
136 STARTTLS setup for FTP
137 --starttls-irc
139 STARTTLS setup for IRC
140 --starttls-imap
142 STARTTLS setup for IMAP
143 --starttls-ldap
145 STARTTLS setup for LDAP
146 --starttls-pop3
148 STARTTLS setup for POP3
149 --starttls-smtp
151 STARTTLS setup for SMTP
152 Note that some servers hang when we try to use SSLv3 ciphers
153 over STARTTLS. If you scan hangs, try using the --tlsall option.
154 --starttls-psql
156 STARTTLS setup for PostgreSQL
157 --starttls-mysql
159 STARTTLS setup for MySQL
160 --starttls-xmpp
162 STARTTLS setup for XMPP
163 --xmpp-server
165 Perform a server-to-server XMPP connection. Try this if --start‐
166 tls-xmpp is failing.
167 --rdp
169 Send RDP preamble before starting scan.
170 --http
172 Makes a HTTP request after a successful connection and returns
173 the server response code
174 --no-cipher-details
176 Hide NIST EC curve name and EDH/RSA key length. Requires OpenSSL
177 >= 1.0.2 (so if you distro doesn't ship this, you'll need to
178 statically build sslscan).
179 --bugs
181 Enables workarounds for SSL bugs
182 --timeout=<sec>
184 Set socket timeout. Useful for hosts that fail to respond to
185 ciphers they don't understand. Default is 3s.
186 --sleep=<msec>
188 Pause between connections. Useful on STARTTLS SMTP services, or
189 anything else that's performing rate limiting. Default is dis‐
190 abled.
191 --xml=<file>
193 Output results to an XML file. - can be used to mean stdout.
194 --no-colour
196 Disable coloured output.
197
199 Scan a local HTTPS server
200 sslscan localhost
201 sslscan 127.0.0.1
202 sslscan 127.0.0.1:443
203 sslscan [::1]
204 sslscan [::1]:443
205
207 sslscan was originally written by Ian Ventura-Whiting <fizz@tita‐
208 nia.co.uk>.
209 sslscan was extended by Jacob Appelbaum <jacob@appelbaum.net>.
210 sslscan was extended by rbsec <robin@rbsec.net>.
211 This manual page was originally written by Marvin Stark <marv@der-
212 marv.de>.
213 December 30, 2013 SSLSCAN(1)