sslscan – Detect SSL Versions & Cipher Suites (Including TLS)

sslscan is a very efficient C program that allows you to detect SSL versions & cipher suites (including TLS) and also checks for vulnerabilities like Heartbleed and POODLE.

A useful tool to keep around after you’ve set-up a server to check the SSL configuration is robust. Especially if you’re in an Internet limited environment and you can’t use an Online tool like the excellent Qualsys SSL Labs – https://www.ssllabs.com/ssltest/

Features

sslscan has fairly complete support to detect all versions and ciphers for both SSL and TLS, including vulnerabilities (like Heartbleed and Poodle).

• Highlight SSLv2 and SSLv3 ciphers in output.
• Highlight CBC ciphers on SSLv3 (POODLE).
• Highlight 3DES and RC4 ciphers in output.
• Highlight PFS+GCM ciphers as good in output.
• Check for OpenSSL HeartBleed (CVE-2014-0160).
• Flag expired certificates.
• Flag weak DHE keys with OpenSSL >= 1.0.2.
• Experimental Windows & OS X support.
• Support for scanning PostgreSQL servers.
• StartTLS support for LDAP.

Usage

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

Command: [Options] [host:port | host]   Options: --targets=<file>       A file containing a list of hosts to check.        Hosts can  be supplied  with ports (host:port) --sni-name=<name>      Hostname for SNI --ipv4                 Only use IPv4 --ipv6                 Only use IPv6 --show-certificate     Show full certificate information --no-check-certificate    Don't warn about weak certificate algorithm or keys --show-client-cas      Show trusted CAs for TLS client auth --show-ciphers         Show supported client ciphers --show-cipher-ids      Show cipher ids --show-times           Show handhake times in milliseconds --ssl2                 Only check SSLv2 ciphers --ssl3                 Only check SSLv3 ciphers --tls10                Only check TLSv1.0 ciphers --tls11                Only check TLSv1.1 ciphers --tls12                Only check TLSv1.2 ciphers --tlsall               Only check TLS ciphers (all versions) --ocsp                 Request OCSP response from server --pk=<file>            A file containing the private key or a PKCS#12 file                        containing a private key/certificate pair --pkpass=<password>    The password for the private  key or PKCS#12 file --certs=<file>         A file containing PEM/ASN1 formatted client certificates --no-ciphersuites      Do not check for supported ciphersuites --no-fallback          Do not check for TLS Fallback SCSV --no-renegotiation     Do not check for TLS renegotiation --no-compression       Do not check for TLS compression (CRIME) --no-heartbleed        Do not check for OpenSSL Heartbleed (CVE-2014-0160) --starttls-ftp         STARTTLS setup for FTP --starttls-imap        STARTTLS setup for IMAP --starttls-irc         STARTTLS setup for IRC --starttls-ldap        STARTTLS setup for LDAP --starttls-pop3        STARTTLS setup for POP3 --starttls-smtp        STARTTLS setup for SMTP --starttls-xmpp        STARTTLS setup for XMPP --starttls-psql        STARTTLS setup for PostgreSQL --xmpp-server          Use a server-to-server XMPP handshake --http                 Test a HTTP connection --rdp                  Send RDP preamble before starting scan --bugs                 Enable SSL implementation bug work-arounds --timeout=<sec>        Set socket timeout. Default is 3s --sleep=<msec>         Pause between connection request. Default is disabled --xml=<file>           Output results to an XML file                        <file> can be -, which means stdout --version              Display the program version --verbose              Display verbose output --no-cipher-details    Disable EC curve names and EDH/RSA key lengths output --no-colour            Disable coloured output --help                 Display the  help text  you are  now reading

You can download sslscan here: