SSLScan

Installation

Debian/Ubuntu

sudo apt-get install sslscan

RHEL/CentOS

sudo yum install sslscan

macOS

brew install sslscan

From Source

git clone https://github.com/rbsec/sslscan.git
cd sslscan
./configure
make
sudo make install

Docker

docker pull nmap/nmap:latest
docker run -it nmap/nmap sslscan example.com:443

Basic Scanning

Simple Host Scan

sslscan example.com
sslscan example.com:443

Scan Non-Standard Port

sslscan example.com:8443

Verbose Output

sslscan --no-failed example.com
sslscan -v example.com

Quiet Mode

sslscan -q example.com

Certificate Details

View Certificate Information

sslscan --show-certificate example.com

Extract Certificate Chain

sslscan --show-certificate example.com | grep -A 50 "Certificate"

Check Certificate Expiry

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Validate Certificate Chain

sslscan --show-certificate example.com

Certificate Issuer Details

openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -text -noout

Cipher Enumeration

List All Supported Ciphers

sslscan example.com

Identify Weak Ciphers

sslscan example.com | grep -i "weak"

Filter by Cipher Strength

sslscan example.com | grep -E "256|128|64"

Export Cipher List

sslscan example.com > ciphers.txt

Test Specific Cipher

openssl s_client -connect example.com:443 -cipher 'DES-CBC3-SHA' 2>/dev/null | head -n 20

Protocol Detection

Check SSL/TLS Versions

sslscan example.com

Test for SSLv2 (Deprecated)

sslscan example.com | grep -i "sslv2"

Test for SSLv3 (Deprecated)

sslscan example.com | grep -i "sslv3"

Test for TLS 1.0/1.1 (Legacy)

sslscan example.com | grep -E "TLSv1\.0|TLSv1\.1"

Test for TLS 1.2+

sslscan example.com | grep -E "TLSv1\.[2-3]"

Protocol-Specific Tests

openssl s_client -connect example.com:443 -ssl2    # SSLv2
openssl s_client -connect example.com:443 -ssl3    # SSLv3
openssl s_client -connect example.com:443 -tls1    # TLSv1.0
openssl s_client -connect example.com:443 -tls1_1  # TLSv1.1
openssl s_client -connect example.com:443 -tls1_2  # TLSv1.2
openssl s_client -connect example.com:443 -tls1_3  # TLSv1.3

Vulnerability Detection

Check for Heartbleed (CVE-2014-0160)

sslscan example.com | grep -i "heartbleed"

Test Heartbleed Directly

echo -n "Q" | openssl s_client -connect example.com:443 2>/dev/null | grep -i heartbeat

Check for POODLE (CVE-2014-3566)

sslscan example.com | grep -i "poodle\|sslv3"

Check for BEAST (CVE-2011-3389)

sslscan example.com | grep -E "TLSv1\.0|CBC"

Check for CRIME (CVE-2012-4929)

sslscan example.com | grep -i "compression"

Check for FREAK (CVE-2015-0204)

sslscan example.com | grep -i "weak.*key\|512.*rsa"

Check for RC4 (Weak Cipher)

sslscan example.com | grep -i "rc4"

Check for DROWN (CVE-2016-0800)

sslscan example.com | grep -i "sslv2"

Full Vulnerability Report

sslscan --no-failed example.com | grep -iE "vulnerable|weak|sslv2|sslv3|heartbleed|poodle"

STARTTLS Support

SMTP (Port 25/587)

sslscan --starttls example.com:25
sslscan --starttls example.com:587

IMAP (Port 143)

sslscan --starttls example.com:143

POP3 (Port 110)

sslscan --starttls example.com:110

FTP (Port 21)

sslscan --starttls example.com:21

LDAP (Port 389)

sslscan --starttls example.com:389

XMPP (Port 5222)

sslscan --starttls example.com:5222

Check STARTTLS Availability

echo "EHLO example.com" | nc example.com 25 | grep -i "starttls"

Output Formats

XML Output

sslscan --xml=report.xml example.com

Parse XML Report

cat report.xml | grep -E "protocol|cipher|certificate"

Human-Readable Output

sslscan example.com > report.txt

JSON-like Format (via grep)

sslscan example.com | awk '{print $0}' > report.json

Redirect to File

sslscan example.com 2>&1 | tee report.log

Generate and Compare Reports

sslscan example.com > baseline.txt
sslscan example.com > current.txt
diff baseline.txt current.txt

Batch Scanning

Scan Multiple Hosts from List

cat hosts.txt | while read host; do sslscan "$host" >> results.txt; done

Scan Host List with Ports

while IFS=: read -r host port; do sslscan "$host:$port" >> batch-results.txt; done < hosts.txt

Parallel Batch Scanning

cat hosts.txt | xargs -P 5 -I {} sslscan {} > batch-results.txt

Scan Entire CIDR Range (via nmap)

nmap -p 443 10.0.0.0/24 -oG - | awk '/open/{print $2}' | while read ip; do sslscan "$ip"; done

Store Results in Database

for host in $(cat hosts.txt); do
  sslscan --xml="$host.xml" "$host"
  echo "Scanned: $host"
done

Track Changes Over Time

timestamp=$(date +%Y%m%d_%H%M%S)
sslscan example.com > "scans/example_$timestamp.txt"

Client Certificate Testing

Scan with Client Certificate

sslscan --client-cert=cert.pem --client-key=key.pem example.com

Test Mutual TLS (mTLS)

openssl s_client -cert client.pem -key client-key.pem -connect example.com:443

Verify Client Certificate Chain

openssl verify -CAfile ca-chain.pem client.pem

Extract Client Certificate from File

openssl x509 -in client.pem -text -noout

OCSP Stapling

Check OCSP Stapling Status

echo | openssl s_client -connect example.com:443 -tlsextdebug 2>/dev/null | grep -A 2 "OCSP"

Verify OCSP Response

echo | openssl s_client -connect example.com:443 -status 2>/dev/null | grep "OCSP response"

Detailed OCSP Check

openssl s_client -connect example.com:443 -tlsextdebug 2>&1 | grep -i "ocsp"

Advanced Options

Disable SNI (Server Name Indication)

sslscan --no-sni example.com

Set Custom Timeout

sslscan --timeout=10 example.com

Specify IP Address

sslscan --ip=192.168.1.1 example.com

Skip Host Name Verification

sslscan --no-sni example.com

Test All Named Hosts (SNI)

sslscan example.com
sslscan mail.example.com

Comparison: SSLScan vs testssl.sh vs sslyze

Feature	SSLScan	testssl.sh	sslyze
Language	C/C++	Bash	Python
Speed	Fast	Medium	Fast
Protocols	SSL/TLS	SSL/TLS/HTTP/DNS	SSL/TLS
Vulnerability Checks	Basic	Comprehensive	Good
STARTTLS Support	Yes	Yes	Yes
Output Formats	Text, XML	Text, JSON, CSV	Text, JSON
Installation	Easy	No deps	Python required
Community	Active	Very Active	Active
CVE Coverage	Standard	Extensive	Good
Best For	Quick scans	Deep audits	Automated checks

When to Use SSLScan

• Quick SSL/TLS configuration checks
• Simple vulnerability screening
• Batch scanning multiple hosts
• Resource-constrained environments
• CI/CD integration

When to Use testssl.sh

• Comprehensive security audits
• Deep vulnerability analysis
• Regulatory compliance checks
• Edge case testing
• Maximum CVE coverage

When to Use sslyze

• Automated security testing
• Python integration
• API-based scanning
• CI/CD pipelines
• Large-scale assessments

Real-World Examples

Audit Web Server Configuration

sslscan --show-certificate example.com | tee audit.txt

Monitor Certificate Expiry

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Identify Non-Compliant Hosts

sslscan example.com | grep -E "sslv2|sslv3|TLSv1\.0|weak" && echo "Non-compliant" || echo "Compliant"

Generate Compliance Report

sslscan --no-failed example.com > compliance-report.txt

Test After Configuration Change

sslscan example.com > before.txt
# Update SSL/TLS config
sslscan example.com > after.txt
diff before.txt after.txt

Find All Weak Ciphers in Environment

for host in web1 web2 web3; do
  echo "=== $host ===" >> weak-ciphers.txt
  sslscan "$host" | grep -i "weak" >> weak-ciphers.txt
done