1SSLSCAN(1)                  General Commands Manual                 SSLSCAN(1)
2
3
4

NAME

6       sslscan - Fast SSL/TLS scanner
7

SYNOPSIS

9       sslscan [options] [host:port | host]
10

DESCRIPTION

12       This manual page documents briefly the sslscan command
13
14       sslscan  queries SSL/TLS services, such as HTTPS, in order to determine
15       the ciphers that are supported.
16
17       SSLScan is designed to be easy, lean and fast. The output includes pre‐
18       ferred  ciphers of the SSL/TLS service, and text and XML output formats
19       are supported. It is TLS SNI aware when used with a  supported  version
20       of OpenSSL.
21
22       Output is colour coded to indicate security issues. Colours are as fol‐
23       lows:
24
25       Red Background  NULL cipher (no encryption)
26       Red             Broken cipher (<= 40 bit), broken  protocol  (SSLv2  or
27       SSLv3) or broken certificate signing algorithm (MD5)
28       Yellow           Weak  cipher  (<=  56  bit or RC4) or weak certificate
29       signing algorithm (SHA-1)
30       Purple          Anonymous cipher (ADH or AECDH)
31

OPTIONS

33       --help
34              Show summary of options
35
36       --version
37              Show version of program
38
39       --targets=<file>
40              A file containing a list of hosts to check. Hosts  can  be  sup‐
41              plied with ports (i.e. host:port). One target per line
42
43       --sni-name=<name>
44              Use a different hostname for SNI
45
46       --ipv4, -4
47              Force  IPv4 DNS resolution.  Default is to try IPv4, and if that
48              fails then fall back to IPv6.
49
50       --ipv6, -6
51              Force IPv6 DNS resolution.  Default is to try IPv4, and if  that
52              fails then fall back to IPv6.
53
54       --show-certificate
55              Display certificate information.
56
57       --no-check-certificate
58              Don't  flag  certificates  signed  with weak algorithms (MD5 and
59              SHA-1) or short (<2048 bit) RSA keys
60
61       --show-client-cas
62              Show a list of CAs that the server allows for client authentica‐
63              tion. Will be blank for IIS/Schannel servers.
64
65       --show-ciphers
66              Show a complete list of ciphers supported by sslscan
67
68       --show-cipher-ids
69              Print the hexadecimal cipher IDs
70
71       --show-times
72              Show  the  time  taken  for each handshake in milliseconds. Note
73              that only a single request is made with each  cipher,  and  that
74              the  size of the ClientHello is not constant, so this should not
75              be used for proper benchmarking or performance testing.
76
77              You might want to also use --no-cipher-details to make the  out‐
78              put a bit clearer.
79
80       --ssl2
81              Only check SSLv2 ciphers
82              Note  that  this  option  may not be available if system OpenSSL
83              does not support  SSLv2.  Either  build  OpenSSL  statically  or
84              rebuild  your  system OpenSSL with SSLv2 support. See the readme
85              for further details.
86
87       --ssl3
88              Only check SSLv3 ciphers
89              Note that this option may not be  available  if  system  OpenSSL
90              does  not  support  SSLv3.  Either  build  OpenSSL statically or
91              rebuild your system OpenSSL with SSLv3 support. See  the  readme
92              for further details.
93
94       --tls10
95              Only check TLS 1.0 ciphers
96
97       --tls11
98              Only check TLS 1.1 ciphers
99
100       --tls12
101              Only check TLS 1.2 ciphers
102
103       --tlsall
104              Only check TLS ciphers (versions 1.0, 1.1 and 1.2)
105
106       --ocsp
107              Display OCSP status
108
109       --pk=<file>
110              A file containing the private key or a PKCS#12 file containing a
111              private key/certificate pair (as produced by MSIE and Netscape)
112
113       --pkpass=<password>
114              The password for the private key or PKCS#12 file
115
116       --certs=<file>
117              A file containing PEM/ASN1 formatted client certificates
118
119       --no-ciphersuites
120              Do not scan for supported ciphersuites.
121
122       --no-renegotiation
123              Do not check for secure TLS renegotiation
124
125       --no-fallback
126              Do not check for  TLS  Fallback  Signaling  Cipher  Suite  Value
127              (fallback)
128
129       --no-compression
130              Do not check for TLS compression (CRIME)
131
132       --no-heartbleed
133              Do not check for OpenSSL Heartbleed (CVE-2014-0160)
134
135       --starttls-ftp
136              STARTTLS setup for FTP
137
138       --starttls-irc
139              STARTTLS setup for IRC
140
141       --starttls-imap
142              STARTTLS setup for IMAP
143
144       --starttls-ldap
145              STARTTLS setup for LDAP
146
147       --starttls-pop3
148              STARTTLS setup for POP3
149
150       --starttls-smtp
151              STARTTLS setup for SMTP
152              Note  that  some  servers  hang when we try to use SSLv3 ciphers
153              over STARTTLS. If you scan hangs, try using the --tlsall option.
154
155       --starttls-psql
156              STARTTLS setup for PostgreSQL
157
158       --starttls-mysql
159              STARTTLS setup for MySQL
160
161       --starttls-xmpp
162              STARTTLS setup for XMPP
163
164       --xmpp-server
165              Perform a server-to-server XMPP connection. Try this if --start‐
166              tls-xmpp is failing.
167
168       --rdp
169              Send RDP preamble before starting scan.
170
171       --http
172              Makes  a  HTTP request after a successful connection and returns
173              the server response code
174
175       --no-cipher-details
176              Hide NIST EC curve name and EDH/RSA key length. Requires OpenSSL
177              >=  1.0.2  (so  if  you distro doesn't ship this, you'll need to
178              statically build sslscan).
179
180       --bugs
181              Enables workarounds for SSL bugs
182
183       --timeout=<sec>
184              Set socket timeout. Useful for hosts that  fail  to  respond  to
185              ciphers they don't understand. Default is 3s.
186
187       --sleep=<msec>
188              Pause  between connections. Useful on STARTTLS SMTP services, or
189              anything else that's performing rate limiting. Default  is  dis‐
190              abled.
191
192       --xml=<file>
193              Output results to an XML file. - can be used to mean stdout.
194
195       --no-colour
196              Disable coloured output.
197

EXAMPLES

199       Scan a local HTTPS server
200              sslscan localhost
201              sslscan 127.0.0.1
202              sslscan 127.0.0.1:443
203              sslscan [::1]
204              sslscan [::1]:443
205

AUTHOR

207       sslscan  was  originally  written  by  Ian  Ventura-Whiting <fizz@tita‐
208       nia.co.uk>.
209       sslscan was extended by Jacob Appelbaum <jacob@appelbaum.net>.
210       sslscan was extended by rbsec <robin@rbsec.net>.
211       This manual page was originally  written  by  Marvin  Stark  <marv@der-
212       marv.de>.
213
214
215
216                               December 30, 2013                    SSLSCAN(1)
Impressum