Convert Figma logo to code with AI

rbsec logosslscan

sslscan tests SSL/TLS enabled services to discover supported cipher suites

2,288
380
2,288
44
View on GitHub

Top Related Projects

drwetter's avatar

testssl.sh

7,940

Testing TLS/SSL encryption anywhere on any port

nabla-c0d3's avatar

sslyze

3,249

Fast and powerful SSL/TLS scanning library.

nmap's avatar

nmap

10,048

Nmap - the Network Mapper. Github mirror of official SVN repository.

Quick Overview

SSLScan is a fast SSL/TLS scanner that tests SSL/TLS enabled services to discover supported cipher suites, protocols, and cryptographic flaws. It's designed to be easy to use and provide detailed information about the SSL/TLS configuration of a target server, making it a valuable tool for security professionals and system administrators.

Pros

  • Fast and efficient scanning of SSL/TLS services
  • Comprehensive output with detailed information about supported ciphers, protocols, and vulnerabilities
  • Actively maintained and regularly updated to include checks for new vulnerabilities
  • Cross-platform support (Linux, macOS, Windows)

Cons

  • Limited to SSL/TLS scanning, not a full-featured vulnerability scanner
  • Can potentially trigger intrusion detection systems or firewall alerts due to its scanning nature
  • Requires root/administrator privileges for some features on certain platforms
  • May produce false positives in some cases, requiring manual verification

Getting Started

To get started with SSLScan, follow these steps:

  1. Clone the repository:

    git clone https://github.com/rbsec/sslscan.git

  2. Build the project:

    cd sslscan
make static

  3. Run SSLScan:

    ./sslscan example.com

This will perform a basic scan of the specified domain. For more advanced usage and options, refer to the project's documentation.

Competitor Comparisons

drwetter logo

testssl.sh

7,940

Testing TLS/SSL encryption anywhere on any port

Pros of testssl.sh

  • More comprehensive SSL/TLS testing, including protocol support, cipher suites, and vulnerabilities
  • Supports testing multiple hosts and mass scanning
  • Provides detailed output with color-coded results for easy interpretation

Cons of testssl.sh

  • Slower performance compared to sslscan, especially for large-scale scans
  • Requires bash and OpenSSL, which may not be available on all systems
  • More complex to use, with a steeper learning curve for advanced features

Code Comparison

testssl.sh:

#!/usr/bin/env bash
# testssl.sh - Testing TLS/SSL encryption
OPENSSL="openssl"
HEXDUMP="hexdump"
CAT="cat"

sslscan:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

Both projects aim to analyze SSL/TLS configurations, but they differ in their implementation and focus. testssl.sh is a feature-rich bash script that provides extensive testing capabilities, while sslscan is a C-based tool that offers faster scanning with a more streamlined approach. testssl.sh is better suited for in-depth analysis and flexibility, whereas sslscan excels in quick assessments and integration into automated workflows.

nabla-c0d3 logo

sslyze

3,249

Fast and powerful SSL/TLS scanning library.

Pros of sslyze

  • More comprehensive scanning capabilities, including support for modern protocols like TLS 1.3
  • Provides detailed analysis and reporting of SSL/TLS configurations
  • Actively maintained with regular updates and new features

Cons of sslyze

  • Slower scanning speed compared to sslscan
  • More complex setup and usage, requiring additional dependencies
  • Larger codebase, which may be harder to navigate for beginners

Code Comparison

sslyze:

from sslyze import ServerNetworkLocationViaDirectConnection, ServerConnectivityTester, Scanner, ServerScanRequest
from sslyze.plugins.scan_commands import ScanCommand

server_location = ServerNetworkLocationViaDirectConnection("example.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
scanner = Scanner()

sslscan:

int main(int argc, char *argv[])
{
    struct sslCheckOptions options;
    memset(&options, 0, sizeof(struct sslCheckOptions));
    options.host = argv[1];
    options.port = 443;
    sslscan(&options);
}

The code comparison shows that sslyze uses a more object-oriented approach with Python, while sslscan is written in C and uses a simpler, procedural style. sslyze's code structure allows for more flexibility and extensibility, but may be more complex for basic scanning tasks.

nmap logo

nmap

10,048

Nmap - the Network Mapper. Github mirror of official SVN repository.

Pros of Nmap

  • Comprehensive network scanning and security auditing tool
  • Extensive feature set beyond SSL/TLS scanning
  • Large, active community and regular updates

Cons of Nmap

  • More complex to use for specific SSL/TLS scanning tasks
  • Larger footprint and resource requirements

Code Comparison

SSLScan:

sslscan example.com

Nmap:

nmap --script ssl-enum-ciphers -p 443 example.com

Key Differences

  • Focus: SSLScan is specialized for SSL/TLS scanning, while Nmap is a multi-purpose network scanning tool
  • Ease of use: SSLScan is simpler for quick SSL/TLS checks, Nmap offers more flexibility but requires more configuration
  • Output: SSLScan provides detailed SSL/TLS-specific information, Nmap offers broader network insights

Use Cases

SSLScan:

  • Quick SSL/TLS configuration audits
  • Identifying supported ciphers and protocols

Nmap:

  • Comprehensive network security assessments
  • Port scanning and service detection
  • Vulnerability scanning across multiple protocols

Both tools are valuable for security professionals, with SSLScan excelling in focused SSL/TLS analysis and Nmap offering a broader range of network scanning capabilities.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

sslscan2

sslscan version 2 has now been released. This includes a major rewrite of the backend scanning code, which means that it is no longer reliant on the version of OpenSSL for many checks. This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against.

This has been made possible largely by the work of jtesta, who has been responsible for most of the backend rewrite.

Other key changes include:

  • Enumeration of server key exchange groups.
  • Enumeration of server signature algorithms.
  • SSLv2 and SSLv3 protocol support is scanned, but individual ciphers are not.
  • A test suite is included using Docker, to verify that sslscan is functionality correctly.
  • Removed the --http option, as it was broken and had very little use in the first place.

XML Output Changes

A potentially breaking change has been made to the XML output in version 2.0.0-beta4. Previously, multiple <certificate> elements could be returned (one by default, and a second one if --show-certificate was used).

The key changes are:

  • A new parent <certificates> element that will contain the <certificate> elements.
  • <certificate> elements have a new type attribute, which can either be:
    • short for the default output.
    • full for when --show-certificate is used.
  • There will potentially be more than one certificate of each type returned on servers that have multiple certificates with different signature algorithms (see discussion in issue #208).
  • The <signature-algorithm> element in a <certificate> no longer contains the "Signature Algorithm:" prefix, or the spacing and newline.

If you are using the XML output, then you may need to make changes to your parser.

README

ci

This is a fork of ioerror's version of sslscan (the original readme of which is included below) by rbsec (robin@rbsec.net).

Key changes are as follows:

  • Highlight SSLv2 and SSLv3 ciphers in output.
  • Highlight CBC ciphers on SSLv3 (POODLE).
  • Highlight 3DES and RC4 ciphers in output.
  • Highlight PFS+GCM ciphers as good in output.
  • Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output.
  • Highlight anonymous (ADH and AECDH) ciphers in output (purple).
  • Hide certificate information by default (display with --show-certificate).
  • Hide rejected ciphers by default (display with --failed).
  • Added TLSv1.1, TLSv1.2 and TLSv1.3 support.
  • Supports IPv6 (can be forced with --ipv6).
  • Check for TLS compression (CRIME, disable with --no-compression).
  • Disable cipher suite checking --no-ciphersuites.
  • Disable coloured output --no-colour.
  • Removed undocumented -p output option.
  • Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed).
  • Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys.
  • Support scanning RDP servers with --rdp (credit skettler).
  • Added option to specify socket timeout.
  • Added option for static compilation (credit dmke).
  • Added --sleep option to pause between requests.
  • Disable output for anything than specified checks --no-preferred.
  • Determine the list of CAs acceptable for client certificates --show-client-cas.
  • Experimental build support on OS X (credit MikeSchroll).
  • Flag some self-signed SSL certificates.
  • Experimental Windows support (credit jtesta).
  • Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 --no-cipher-details.
  • Flag weak DHE keys with OpenSSL >= 1.0.2 --cipher-details.
  • Flag expired certificates.
  • Flag TLSv1.0 and TLSv1.1 protocols in output as weak.
  • Experimental OS X support (static building only).
  • Support for scanning PostgreSQL servers (credit nuxi).
  • Check for TLS Fallback SCSV support.
  • Added StartTLS support for LDAP --starttls-ldap.
  • Added SNI support --sni-name (credit Ken).
  • Support STARTTLS for MySQL (credit bk2017).
  • Check for supported key exchange groups.
  • Check for supported server signature algorithms.
  • Display IANA/RFC cipher names --iana-names
  • Display the full certifiate chain --show-certificates

Building on Linux

It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy sslscan binary (file size, memory consumption, etc.), this allows some additional checks such as TLS compression.

To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. If you don't have them already, you will need to enable the deb-src repos in your apt config. sslscan was primarily developed on Debian, so if you are compiling on other distributions your mileage may vary.

apt-get install build-essential git zlib1g-dev
apt-get build-dep openssl

Then run

make static

This will clone the OpenSSL repository, and configure/compile/test OpenSSL prior to compiling sslscan.

Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile). For more information on this, see Modifying Build Settings in the OpenSSL wiki.

You can verify whether you have a statically linked OpenSSL version, by checking whether the version listed by sslscan --version has the -static suffix.

Building with Docker

Ensure that you local Docker installation is functional, and the build the container with:

make docker

Or manually with:

docker build -t sslscan:sslscan .

You can then run sslscan with:

docker run --rm -ti sslscan:sslscan --help

Building on Windows

Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.

Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.

Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page.

Building on OS X

There is experimental support for statically building on OS X, however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on OS X. Once you have, just run:

make static

Original (ioerror) README

This is a fork of sslscan.c to better support STARTTLS.

The original home page of sslscan is:

http://www.titania.co.uk

sslscan was originally written by:

Ian Ventura-Whiting

The current home page of this fork (until upstream merges a finished patch) is:

http://www.github.com/ioerror/sslscan

Most of the pre-TLS protocol setup was inspired by the OpenSSL s_client.c program. The goal of this fork is to eventually merge with the original project after the STARTTLS setup is polished.

Some of the OpenSSL setup code was borrowed from The Tor Project's Tor program. Thus it is likely proper to comply with the BSD license by saying: Copyright (c) 2007-2010, The Tor Project, Inc.