Installation
Debian/Ubuntu
sudo apt-get install sslscan
RHEL/CentOS
sudo yum install sslscan
macOS
brew install sslscan
From Source
git clone https://github.com/rbsec/sslscan.git
cd sslscan
./configure
make
sudo make install
Docker
docker pull nmap/nmap:latest
docker run -it nmap/nmap sslscan example.com:443
Basic Scanning
Simple Host Scan
sslscan example.com
sslscan example.com:443
Scan Non-Standard Port
sslscan example.com:8443
Verbose Output
sslscan --no-failed example.com
sslscan -v example.com
Quiet Mode
sslscan -q example.com
Certificate Details
sslscan --show-certificate example.com
sslscan --show-certificate example.com | grep -A 50 "Certificate"
Check Certificate Expiry
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Validate Certificate Chain
sslscan --show-certificate example.com
Certificate Issuer Details
openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -text -noout
Cipher Enumeration
List All Supported Ciphers
sslscan example.com
Identify Weak Ciphers
sslscan example.com | grep -i "weak"
Filter by Cipher Strength
sslscan example.com | grep -E "256|128|64"
Export Cipher List
sslscan example.com > ciphers.txt
Test Specific Cipher
openssl s_client -connect example.com:443 -cipher 'DES-CBC3-SHA' 2>/dev/null | head -n 20
Protocol Detection
Check SSL/TLS Versions
sslscan example.com
Test for SSLv2 (Deprecated)
sslscan example.com | grep -i "sslv2"
Test for SSLv3 (Deprecated)
sslscan example.com | grep -i "sslv3"
Test for TLS 1.0/1.1 (Legacy)
sslscan example.com | grep -E "TLSv1\.0|TLSv1\.1"
Test for TLS 1.2+
sslscan example.com | grep -E "TLSv1\.[2-3]"
Protocol-Specific Tests
openssl s_client -connect example.com:443 -ssl2 # SSLv2
openssl s_client -connect example.com:443 -ssl3 # SSLv3
openssl s_client -connect example.com:443 -tls1 # TLSv1.0
openssl s_client -connect example.com:443 -tls1_1 # TLSv1.1
openssl s_client -connect example.com:443 -tls1_2 # TLSv1.2
openssl s_client -connect example.com:443 -tls1_3 # TLSv1.3
Vulnerability Detection
Check for Heartbleed (CVE-2014-0160)
sslscan example.com | grep -i "heartbleed"
Test Heartbleed Directly
echo -n "Q" | openssl s_client -connect example.com:443 2>/dev/null | grep -i heartbeat
Check for POODLE (CVE-2014-3566)
sslscan example.com | grep -i "poodle\|sslv3"
Check for BEAST (CVE-2011-3389)
sslscan example.com | grep -E "TLSv1\.0|CBC"
Check for CRIME (CVE-2012-4929)
sslscan example.com | grep -i "compression"
Check for FREAK (CVE-2015-0204)
sslscan example.com | grep -i "weak.*key\|512.*rsa"
Check for RC4 (Weak Cipher)
sslscan example.com | grep -i "rc4"
Check for DROWN (CVE-2016-0800)
sslscan example.com | grep -i "sslv2"
Full Vulnerability Report
sslscan --no-failed example.com | grep -iE "vulnerable|weak|sslv2|sslv3|heartbleed|poodle"
STARTTLS Support
SMTP (Port 25/587)
sslscan --starttls example.com:25
sslscan --starttls example.com:587
IMAP (Port 143)
sslscan --starttls example.com:143
POP3 (Port 110)
sslscan --starttls example.com:110
FTP (Port 21)
sslscan --starttls example.com:21
LDAP (Port 389)
sslscan --starttls example.com:389
XMPP (Port 5222)
sslscan --starttls example.com:5222
Check STARTTLS Availability
echo "EHLO example.com" | nc example.com 25 | grep -i "starttls"
XML Output
sslscan --xml=report.xml example.com
Parse XML Report
cat report.xml | grep -E "protocol|cipher|certificate"
Human-Readable Output
sslscan example.com > report.txt
sslscan example.com | awk '{print $0}' > report.json
Redirect to File
sslscan example.com 2>&1 | tee report.log
Generate and Compare Reports
sslscan example.com > baseline.txt
sslscan example.com > current.txt
diff baseline.txt current.txt
Batch Scanning
Scan Multiple Hosts from List
cat hosts.txt | while read host; do sslscan "$host" >> results.txt; done
Scan Host List with Ports
while IFS=: read -r host port; do sslscan "$host:$port" >> batch-results.txt; done < hosts.txt
Parallel Batch Scanning
cat hosts.txt | xargs -P 5 -I {} sslscan {} > batch-results.txt
Scan Entire CIDR Range (via nmap)
nmap -p 443 10.0.0.0/24 -oG - | awk '/open/{print $2}' | while read ip; do sslscan "$ip"; done
Store Results in Database
for host in $(cat hosts.txt); do
sslscan --xml="$host.xml" "$host"
echo "Scanned: $host"
done
Track Changes Over Time
timestamp=$(date +%Y%m%d_%H%M%S)
sslscan example.com > "scans/example_$timestamp.txt"
Client Certificate Testing
Scan with Client Certificate
sslscan --client-cert=cert.pem --client-key=key.pem example.com
Test Mutual TLS (mTLS)
openssl s_client -cert client.pem -key client-key.pem -connect example.com:443
Verify Client Certificate Chain
openssl verify -CAfile ca-chain.pem client.pem
openssl x509 -in client.pem -text -noout
OCSP Stapling
Check OCSP Stapling Status
echo | openssl s_client -connect example.com:443 -tlsextdebug 2>/dev/null | grep -A 2 "OCSP"
Verify OCSP Response
echo | openssl s_client -connect example.com:443 -status 2>/dev/null | grep "OCSP response"
Detailed OCSP Check
openssl s_client -connect example.com:443 -tlsextdebug 2>&1 | grep -i "ocsp"
Advanced Options
Disable SNI (Server Name Indication)
sslscan --no-sni example.com
Set Custom Timeout
sslscan --timeout=10 example.com
Specify IP Address
sslscan --ip=192.168.1.1 example.com
Skip Host Name Verification
sslscan --no-sni example.com
Test All Named Hosts (SNI)
sslscan example.com
sslscan mail.example.com
Comparison: SSLScan vs testssl.sh vs sslyze
| Feature | SSLScan | testssl.sh | sslyze |
|---|
| Language | C/C++ | Bash | Python |
| Speed | Fast | Medium | Fast |
| Protocols | SSL/TLS | SSL/TLS/HTTP/DNS | SSL/TLS |
| Vulnerability Checks | Basic | Comprehensive | Good |
| STARTTLS Support | Yes | Yes | Yes |
| Output Formats | Text, XML | Text, JSON, CSV | Text, JSON |
| Installation | Easy | No deps | Python required |
| Community | Active | Very Active | Active |
| CVE Coverage | Standard | Extensive | Good |
| Best For | Quick scans | Deep audits | Automated checks |
When to Use SSLScan
- Quick SSL/TLS configuration checks
- Simple vulnerability screening
- Batch scanning multiple hosts
- Resource-constrained environments
- CI/CD integration
When to Use testssl.sh
- Comprehensive security audits
- Deep vulnerability analysis
- Regulatory compliance checks
- Edge case testing
- Maximum CVE coverage
When to Use sslyze
- Automated security testing
- Python integration
- API-based scanning
- CI/CD pipelines
- Large-scale assessments
Real-World Examples
Audit Web Server Configuration
sslscan --show-certificate example.com | tee audit.txt
Monitor Certificate Expiry
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Identify Non-Compliant Hosts
sslscan example.com | grep -E "sslv2|sslv3|TLSv1\.0|weak" && echo "Non-compliant" || echo "Compliant"
Generate Compliance Report
sslscan --no-failed example.com > compliance-report.txt
Test After Configuration Change
sslscan example.com > before.txt
# Update SSL/TLS config
sslscan example.com > after.txt
diff before.txt after.txt
Find All Weak Ciphers in Environment
for host in web1 web2 web3; do
echo "=== $host ===" >> weak-ciphers.txt
sslscan "$host" | grep -i "weak" >> weak-ciphers.txt
done
