Overview
The SSL/TLS Scanner analyzes the security configuration of SSL/TLS services, identifying weak ciphers, deprecated protocols, certificate issues, and known vulnerabilities like Heartbleed, POODLE, and ROBOT.
The SSL/TLS Scanner is a vulnerability scanner: it actively tests SSL/TLS configurations for security weaknesses. It does not add data to your Attack Surface. Identified vulnerabilities are reported as findings.
Supported targets
| Target type | Examples |
|---|
| IP address | 192.168.1.1, 10.0.0.5 |
| Hostname | example.com, mail.example.com |
Scan types
| Mode | Description | Use case |
|---|
| Light | Scan port 443 only | Quick HTTPS check |
| Deep | Scan ~5,003 TCP ports | Full infrastructure audit |
| Custom | User-configured ports and engines | Targeted testing |
Parameters comparison
| Parameter | Light | Deep | Custom |
|---|
| TCP ports | 443 | ~5,003 | User-defined |
| Certificate engine | ✓ | ✓ | Configurable |
| Vulnerability engine | ✓ | ✓ | Configurable |
Engines comparison
| Engine | Light | Deep | Custom |
|---|
| Certificate | ✓ | ✓ | ✓ |
| Vulnerability | ✓ | ✓ | ✓ |
The Deep scan tests ~5,003 ports and may take significant time. Use Light mode for quick HTTPS checks or Custom mode to specify exact ports.
Custom scan
Full control over scan parameters:
- Select specific scanning engines (Certificate, Vulnerability, or both)
- Define custom port ranges, lists, or common port presets
- Target specific SSL/TLS services on non-standard ports
Custom scan options
Port selection
| Option | TCP ports | Description |
|---|
| Top 10 ports | ~10 | Fastest scan |
| Top 100 ports | ~112 | Quick discovery |
| Top 1000 ports | ~1,009 | Standard assessment |
| Top 5000 ports | ~5,003 | Extended coverage |
| Full port range | 65,535 | All ports (slow) |
| Port range | Variable | Specify start and end (e.g., 1-1024) |
| Port list | Variable | Comma-separated (e.g., 443,8443,993) |
Vulnerability checks
The Vulnerability engine detects these known SSL/TLS vulnerabilities:
| Vulnerability | CVE | Description |
|---|
| Heartbleed | CVE-2014-0160 | OpenSSL memory disclosure |
| Ticketbleed | CVE-2016-9244 | F5 BIG-IP session ticket leak |
| CCS Injection | CVE-2014-0224 | OpenSSL ChangeCipherSpec attack |
| POODLE | CVE-2014-3566 | SSL 3.0 padding oracle attack |
| ROBOT | CVE-2017-13099 | RSA padding oracle attack |
| DROWN | CVE-2016-0800 | SSLv2 cross-protocol attack |
| Secure Renegotiation | CVE-2009-3555 | Insecure renegotiation |
| CRIME | CVE-2012-4929 | TLS compression attack |
| BREACH | CVE-2013-3587 | HTTP compression attack |
| FREAK | CVE-2015-0204 | Export cipher downgrade |
| SWEET32 | CVE-2016-2183 | 64-bit block cipher birthday attack |
| BEAST | CVE-2011-3389 | CBC cipher attack |
| LOGJAM | CVE-2015-4000 | DHE export downgrade |
Certificate checks
The Certificate engine analyzes certificate configuration:
| Check | Description |
|---|
| Validity period | Not expired, not future-dated |
| Common name | Matches requested hostname |
| Subject Alternative Names | Additional hostnames covered |
| Certificate chain | Complete and trusted |
| Signature algorithm | SHA-256 or better recommended |
| Key size | RSA 2048+ or ECDSA 256+ recommended |
Protocol analysis
| Protocol | Status | Notes |
|---|
| SSL 2.0 | ❌ Deprecated | Broken, never use |
| SSL 3.0 | ❌ Deprecated | POODLE vulnerability |
| TLS 1.0 | ⚠️ Legacy | PCI DSS non-compliant |
| TLS 1.1 | ⚠️ Legacy | Being deprecated |
| TLS 1.2 | ✅ Current | Recommended minimum |
| TLS 1.3 | ✅ Modern | Best security |
Cipher suite analysis
| Category | Examples | Rating |
|---|
| Strong | AES-256-GCM, ChaCha20-Poly1305 | ✅ Recommended |
| Acceptable | AES-128-GCM | ✅ Acceptable |
| Weak | 3DES, RC4 | ⚠️ Avoid |
| Insecure | NULL, EXPORT, DES | ❌ Critical |
How it works
The SSL/TLS Scanner uses a scanning engine based on testssl.sh with custom enhancements:
- Port discovery: Uses Nmap to identify SSL/TLS-enabled services on specified ports
- Protocol negotiation: Attempts to negotiate various SSL/TLS protocol versions
- Cipher enumeration: Tests which cipher suites the server accepts
- Vulnerability testing: Runs specific checks for known SSL/TLS vulnerabilities
- Certificate analysis: Validates the certificate chain and configuration
Aim for TLS 1.2+ with strong cipher suites. Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1.
Follow-up actions
After identifying SSL/TLS issues:
- Update server configuration: Disable weak protocols and ciphers
- Renew certificates: Replace expiring or weak certificates
- Run Network Scanner: Test for additional infrastructure vulnerabilities
- Check Website Scanner: Assess web application security
