1SSLSCAN(1)                  General Commands Manual                 SSLSCAN(1)
2
3
4

NAME

6       sslscan - Fast SSL/TLS scanner
7

SYNOPSIS

9       sslscan [options] [host:port | host]
10

DESCRIPTION

12       sslscan queries SSL/TLS services (such as HTTPS) and reports the proto‐
13       col versions, cipher suites, key exchanges, signature  algorithms,  and
14       certificates  in  use.  This helps the user understand which parameters
15       are weak from a security standpoint.
16
17       Terminal output is thus colour-coded as follows:
18
19       Red Background  NULL cipher (no encryption)
20       Red             Broken cipher (<= 40 bit), broken  protocol  (SSLv2  or
21       SSLv3) or broken certificate signing algorithm (MD5)
22       Yellow           Weak  cipher  (<=  56  bit or RC4) or weak certificate
23       signing algorithm (SHA-1)
24       Purple          Anonymous cipher (ADH or AECDH)
25
26       sslscan can also output results into an XML file for  easy  consumption
27       by external programs.
28
29

OPTIONS

31       --help
32              Show summary of options
33
34       --targets=<file>
35              A  file  containing  a list of hosts to check. Hosts can be sup‐
36              plied with ports (i.e. host:port). One target per line
37
38       --sni-name=<name>
39              Use a different hostname for SNI
40
41       --ipv4, -4
42              Force IPv4 DNS resolution.  Default is to try IPv4, and if  that
43              fails then fall back to IPv6.
44
45       --ipv6, -6
46              Force  IPv6 DNS resolution.  Default is to try IPv4, and if that
47              fails then fall back to IPv6.
48
49       --show-certificate
50              Display certificate information.
51
52       --no-check-certificate
53              Don't flag certificates signed with  weak  algorithms  (MD5  and
54              SHA-1) or short (<2048 bit) RSA keys
55
56       --show-client-cas
57              Show a list of CAs that the server allows for client authentica‐
58              tion. Will be blank for IIS/Schannel servers.
59
60       --show-ciphers
61              Show a complete list of ciphers supported by sslscan
62
63       --show-cipher-ids
64              Print the hexadecimal cipher IDs
65
66       --show-times
67              Show the time taken for each  handshake  in  milliseconds.  Note
68              that  only  a  single request is made with each cipher, and that
69              the size of the ClientHello is not constant, so this should  not
70              be used for proper benchmarking or performance testing.
71
72              You  might want to also use --no-cipher-details to make the out‐
73              put a bit clearer.
74
75       --ssl2
76              Only check if SSLv2 is enabled
77
78       --ssl3
79              Only check if SSLv3 is enabled
80
81       --tls10
82              Only check TLS 1.0 ciphers
83
84       --tls11
85              Only check TLS 1.1 ciphers
86
87       --tls12
88              Only check TLS 1.2 ciphers
89
90       --tls13
91              Only check TLS 1.3 ciphers
92
93       --tlsall
94              Only check TLS ciphers (versions 1.0, 1.1, 1.2, and 1.3)
95
96       --ocsp
97              Display OCSP status
98
99       --pk=<file>
100              A file containing the private key or a PKCS#12 file containing a
101              private key/certificate pair (as produced by MSIE and Netscape)
102
103       --pkpass=<password>
104              The password for the private key or PKCS#12 file
105
106       --certs=<file>
107              A file containing PEM/ASN1 formatted client certificates
108
109       --no-ciphersuites
110              Do not scan for supported ciphersuites.
111
112       --no-fallback
113              Do  not  check  for  TLS  Fallback  Signaling Cipher Suite Value
114              (fallback)
115
116       --no-renegotiation
117              Do not check for secure TLS renegotiation
118
119       --no-compression
120              Do not check for TLS compression (CRIME)
121
122       --no-heartbleed
123              Do not check for OpenSSL Heartbleed (CVE-2014-0160)
124
125       --no-groups
126              Do not enumerate key exchange groups
127
128       --no-sigs
129              Do not enumerate signature algorithms
130
131       --starttls-ftp
132              STARTTLS setup for FTP
133
134       --starttls-imap
135              STARTTLS setup for IMAP
136
137       --starttls-irc
138              STARTTLS setup for IRC
139
140       --starttls-ldap
141              STARTTLS setup for LDAP
142
143       --starttls-pop3
144              STARTTLS setup for POP3
145
146       --starttls-smtp
147              STARTTLS setup for SMTP
148
149       --starttls-mysql
150              STARTTLS setup for MySQL
151
152       --starttls-xmpp
153              STARTTLS setup for XMPP
154
155       --starttls-psql
156              STARTTLS setup for PostgreSQL
157
158       --xmpp-server
159              Perform a server-to-server XMPP connection. Try this if --start‐
160              tls-xmpp is failing.
161
162       --rdp
163              Send RDP preamble before starting scan.
164
165       --bugs
166              Enables workarounds for SSL bugs
167
168       --timeout=<sec>
169              Set  socket  timeout.  Useful  for hosts that fail to respond to
170              ciphers they don't understand. Default is 3s.
171
172       --sleep=<msec>
173              Pause between connections. Useful on STARTTLS SMTP services,  or
174              anything  else  that's performing rate limiting. Default is dis‐
175              abled.
176
177       --xml=<file>
178              Output results to an XML file. - can be used to mean stdout.
179
180       --version
181              Show version of program
182
183       --verbose
184              Display verbose output
185
186       --no-cipher-details
187              Hide NIST EC curve name and EDH/RSA key length.
188
189       --no-colour
190              Disable coloured output.
191

EXAMPLES

193       Scan a local HTTPS server
194              sslscan localhost
195              sslscan 127.0.0.1
196              sslscan 127.0.0.1:443
197              sslscan [::1]
198              sslscan [::1]:443
199

AUTHOR

201       sslscan was  originally  written  by  Ian  Ventura-Whiting  <fizz@tita‐
202       nia.co.uk>.
203       sslscan was extended by Jacob Appelbaum <jacob@appelbaum.net>.
204       sslscan was extended by rbsec <robin@rbsec.net>.
205       This  manual  page  was  originally  written by Marvin Stark <marv@der-
206       marv.de>.
207
208
209
210                                March 19, 2020                      SSLSCAN(1)
Impressum