> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SSL/TLS Scanner

> Analyze SSL/TLS configuration and detect certificate and protocol vulnerabilities

## Overview

The SSL/TLS Scanner analyzes the security configuration of SSL/TLS services, identifying weak ciphers, deprecated protocols, certificate issues, and known vulnerabilities like Heartbleed, POODLE, and ROBOT.

The SSL/TLS Scanner is a **vulnerability scanner**: it actively tests SSL/TLS configurations for security weaknesses. It does not add data to your [Attack Surface](/capabilities/attack-surface). Identified vulnerabilities are reported as [findings](/core/findings/findings).

## Supported targets

| Target type    | Examples                          |
| -------------- | --------------------------------- |
| **IP address** | `192.168.1.1`, `10.0.0.5`         |
| **Hostname**   | `example.com`, `mail.example.com` |

## Scan types

| Mode       | Description                       | Use case                  |
| ---------- | --------------------------------- | ------------------------- |
| **Light**  | Scan port 443 only                | Quick HTTPS check         |
| **Deep**   | Scan \~5,003 TCP ports            | Full infrastructure audit |
| **Custom** | User-configured ports and engines | Targeted testing          |

### Parameters comparison

| Parameter                | Light |   Deep  |    Custom    |
| ------------------------ | :---: | :-----: | :----------: |
| **TCP ports**            |  443  | \~5,003 | User-defined |
| **Certificate engine**   |   ✓   |    ✓    | Configurable |
| **Vulnerability engine** |   ✓   |    ✓    | Configurable |

### Engines comparison

| Engine                                     | Light | Deep | Custom |
| ------------------------------------------ | :---: | :--: | :----: |
| [**Certificate**](#certificate-checks)     |   ✓   |   ✓  |    ✓   |
| [**Vulnerability**](#vulnerability-checks) |   ✓   |   ✓  |    ✓   |

<Note>
  The Deep scan tests \~5,003 ports and may take significant time. Use Light mode for quick HTTPS checks or Custom mode to specify exact ports.
</Note>

### Custom scan

Full control over scan parameters:

* Select specific scanning engines (Certificate, Vulnerability, or both)
* Define custom port ranges, lists, or common port presets
* Target specific SSL/TLS services on non-standard ports

## Custom scan options

### Port selection

| Option              | TCP ports | Description                            |
| ------------------- | --------- | -------------------------------------- |
| **Top 10 ports**    | \~10      | Fastest scan                           |
| **Top 100 ports**   | \~112     | Quick discovery                        |
| **Top 1000 ports**  | \~1,009   | Standard assessment                    |
| **Top 5000 ports**  | \~5,003   | Extended coverage                      |
| **Full port range** | 65,535    | All ports (slow)                       |
| **Port range**      | Variable  | Specify start and end (e.g., `1-1024`) |
| **Port list**       | Variable  | Comma-separated (e.g., `443,8443,993`) |

See [Port lists](/core/scans/portlists) for the exact ports covered by each preset.

## Vulnerability checks

The Vulnerability engine detects these known SSL/TLS vulnerabilities:

| Vulnerability            | CVE            | Description                         |
| ------------------------ | -------------- | ----------------------------------- |
| **Heartbleed**           | CVE-2014-0160  | OpenSSL memory disclosure           |
| **Ticketbleed**          | CVE-2016-9244  | F5 BIG-IP session ticket leak       |
| **CCS Injection**        | CVE-2014-0224  | OpenSSL ChangeCipherSpec attack     |
| **POODLE**               | CVE-2014-3566  | SSL 3.0 padding oracle attack       |
| **ROBOT**                | CVE-2017-13099 | RSA padding oracle attack           |
| **DROWN**                | CVE-2016-0800  | SSLv2 cross-protocol attack         |
| **Secure Renegotiation** | CVE-2009-3555  | Insecure renegotiation              |
| **CRIME**                | CVE-2012-4929  | TLS compression attack              |
| **BREACH**               | CVE-2013-3587  | HTTP compression attack             |
| **FREAK**                | CVE-2015-0204  | Export cipher downgrade             |
| **SWEET32**              | CVE-2016-2183  | 64-bit block cipher birthday attack |
| **BEAST**                | CVE-2011-3389  | CBC cipher attack                   |
| **LOGJAM**               | CVE-2015-4000  | DHE export downgrade                |

## Certificate checks

The Certificate engine analyzes certificate configuration:

| Check                         | Description                         |
| ----------------------------- | ----------------------------------- |
| **Validity period**           | Not expired, not future-dated       |
| **Common name**               | Matches requested hostname          |
| **Subject Alternative Names** | Additional hostnames covered        |
| **Certificate chain**         | Complete and trusted                |
| **Signature algorithm**       | SHA-256 or better recommended       |
| **Key size**                  | RSA 2048+ or ECDSA 256+ recommended |

## Protocol analysis

| Protocol | Status       | Notes                 |
| -------- | ------------ | --------------------- |
| SSL 2.0  | ❌ Deprecated | Broken, never use     |
| SSL 3.0  | ❌ Deprecated | POODLE vulnerability  |
| TLS 1.0  | ⚠️ Legacy    | PCI DSS non-compliant |
| TLS 1.1  | ⚠️ Legacy    | Being deprecated      |
| TLS 1.2  | ✅ Current    | Recommended minimum   |
| TLS 1.3  | ✅ Modern     | Best security         |

## Cipher suite analysis

| Category       | Examples                       | Rating        |
| -------------- | ------------------------------ | ------------- |
| **Strong**     | AES-256-GCM, ChaCha20-Poly1305 | ✅ Recommended |
| **Acceptable** | AES-128-GCM                    | ✅ Acceptable  |
| **Weak**       | 3DES, RC4                      | ⚠️ Avoid      |
| **Insecure**   | NULL, EXPORT, DES              | ❌ Critical    |

## How it works

The SSL/TLS Scanner uses a scanning engine based on **testssl.sh** with custom enhancements:

1. **Port discovery**: Uses Nmap to identify SSL/TLS-enabled services on specified ports
2. **Protocol negotiation**: Attempts to negotiate various SSL/TLS protocol versions
3. **Cipher enumeration**: Tests which cipher suites the server accepts
4. **Vulnerability testing**: Runs specific checks for known SSL/TLS vulnerabilities
5. **Certificate analysis**: Validates the certificate chain and configuration

<Tip>
  Aim for TLS 1.2+ with strong cipher suites. Disable SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1.
</Tip>

## Follow-up actions

After identifying SSL/TLS issues:

* **Update server configuration**: Disable weak protocols and ciphers
* **Renew certificates**: Replace expiring or weak certificates
* **Run [Network Scanner](/tools/network-scanner)**: Test for additional infrastructure vulnerabilities
* **Check [Website Scanner](/tools/website-scanner)**: Assess web application security
