loading
loading
Scanners
A fast and powerful SSL/TLS scanner.
overview
sslyze inspects how a server negotiates SSL and TLS. Point it at a host and it reports which protocol versions the server accepts, the certificate chain and its validity, the supported cipher suites and elliptic curves, and whether downgrade and session-resumption protections are in place.
It also probes named weaknesses directly: Heartbleed, the OpenSSL CCS injection flaw, ROBOT, insecure renegotiation, and CRIME-enabling compression. The Mozilla configuration check grades a server against a published baseline, which turns a scan into a clear pass or fail against a known standard.
Reach for sslyze when you need an accurate, structured read of TLS posture rather than a quick banner grab. On Trickest it runs as a Scanners node that takes a target or a targets file and writes a file and a folder of results, so TLS findings flow into the same reporting as the rest of a scan.
source github.com/nabla-c0d3/sslyze
use cases
Check which protocol versions, ciphers, and curves a host accepts to flag legacy SSL 2.0/3.0 and weak TLS 1.0/1.1 support.
Probe directly for Heartbleed, CCS injection, ROBOT, insecure renegotiation, and compression-based CRIME exposure.
Retrieve and analyze the certificate chain to confirm validity, expiry, and trust against a CA bundle.
Compare the server's TLS setup to a Mozilla recommended configuration for a clear pass or fail across a fleet of hosts.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | · | The server to scan, as host or host:port. |
| targets-in | FILE | --targets_in | Read targets from a file, one host:port per line. |
| certinfo | BOOLEAN | --certinfo | Retrieve and analyze the server's certificate(s) to verify validity. |
| heartbleed | BOOLEAN | --heartbleed | Test the server for the OpenSSL Heartbleed vulnerability. |
| robot | BOOLEAN | --robot | Test the server for the ROBOT vulnerability. |
| mozilla-config | STRING | --mozilla_config | Check TLS config against a Mozilla baseline (intermediate by default; disable to skip). |
| starttls | STRING | --starttls | Perform a StartTLS handshake (auto, smtp, xmpp, pop3, imap, ftp, ldap, rdp, postgres). |
| sni | STRING | --sni | Server Name Indication hostname to connect to (TLS 1.0+ only). |
Showing key inputs. sslyze exposes 32 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| key | FILE | --key | Client private key file. |
| sni | STRING | --sni | Server Name Indication hostname to connect to, affecting TLS 1.0+ connections only. |
| cert | FILE | --cert | Client certificate chain in PEM format, sorted from the subject's client certificate through any intermediate CA certificates. |
| pass | STRING | --pass | Client private key passphrase. |
| quiet | BOOLEAN | --quiet | Do not output anything to stdout. |
| reneg | BOOLEAN | --reneg | Test the server for insecure TLS renegotiation and client-initiated renegotiation. |
| resum | BOOLEAN | --resum | Test the server for TLS 1.2 session resumption support using session IDs and TLS tickets. |
| robot | BOOLEAN | --robot | Test the server for the ROBOT vulnerability. |
| sslv2 | BOOLEAN | --sslv2 | Test the server for SSL 2.0 support. |
| sslv3 | BOOLEAN | --sslv3 | Test the server for SSL 3.0 support. |
| tlsv1 | BOOLEAN | --tlsv1 | Test the server for TLS 1.0 support. |
| target | STRING | · | The server to scan, as host or host:port. |
| keyform | STRING | --keyform | Client private key format: DER or PEM (default). |
| tlsv1-1 | BOOLEAN | --tlsv1_1 | Test the server for TLS 1.1 support. |
| tlsv1-2 | BOOLEAN | --tlsv1_2 | Test the server for TLS 1.2 support. |
| tlsv1-3 | BOOLEAN | --tlsv1_3 | Test the server for TLS 1.3 support. |
| xmpp-to | STRING | --xmpp_to | Hostname for the 'to' attribute of the XMPP stream when using STARTTLS XMPP. Defaults to the server's hostname. |
| certinfo | BOOLEAN | --certinfo | Retrieve and analyze the server's certificate(s) to verify validity. |
| fallback | BOOLEAN | --fallback | Test the server for the TLS_FALLBACK_SCSV mechanism that prevents downgrade attacks. |
| starttls | STRING | --starttls | Perform a StartTLS handshake: auto, smtp, xmpp, xmpp_server, pop3, imap, ftp, ldap, rdp, or postgres. auto deduces the protocol from the port. |
| early-data | BOOLEAN | --early_data | Test the server for TLS 1.3 early data support. |
| heartbleed | BOOLEAN | --heartbleed | Test the server for the OpenSSL Heartbleed vulnerability. |
| targets-in | FILE | --targets_in | Read the list of targets to scan from a file, one host:port per line. |
| compression | BOOLEAN | --compression | Test the server for TLS compression support, which can enable a CRIME attack. |
| openssl-ccs | BOOLEAN | --openssl_ccs | Test the server for the OpenSSL CCS injection vulnerability (CVE-2014-0224). |
| http-headers | BOOLEAN | --http_headers | Test the server for the presence of security-related HTTP headers. |
| https-tunnel | STRING | --https_tunnel | Tunnel traffic through an HTTP CONNECT proxy at 'http://USER:PW@HOST:PORT/'. Only Basic authentication is supported. |
| mozilla-config | STRING | --mozilla_config | Queue the scan commands to grade the server against a Mozilla recommended TLS configuration. Defaults to intermediate; set disable to skip. |
| resum-attempts | STRING | --resum_attempts | Used with --resum. Number of session resumptions to attempt (default 5); a higher value like 100 gives a more accurate success rate. |
| elliptic-curves | BOOLEAN | --elliptic_curves | Test the server for supported elliptic curves. |
| slow-connection | BOOLEAN | --slow_connection | Reduce the number of concurrent connections for slower but more reliable scans over slow links or fragile servers. |
| certinfo-ca-file | FILE | --certinfo_ca_file | Used with certinfo. PEM file of root certificates to verify the server certificate's validity. |
example
# TLS scan of one host: certificate, Heartbleed, ROBOT, and Mozilla baselinesslyze --certinfo --heartbleed --robot --mozilla_config=intermediate example.com:443 SCAN RESULTS FOR EXAMPLE.COM:443 - 198.51.100.23 ------------------------------------------------ * SSL 2.0 Cipher Suites: The server rejected all cipher suites. * TLS 1.2 Cipher Suites: The server accepted 5 cipher suites. * TLS 1.3 Cipher Suites: The server accepted 3 cipher suites. * Heartbleed: OK - Not vulnerable to Heartbleed. * ROBOT Attack: OK - Not vulnerable, no oracle detected. * Certificate Information: Trusted chain, leaf expires 2027-01-14. COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION (intermediate): OK - Compliant.guidance
Use sslyze when you need a deep, accurate read of a server's TLS posture, including named vulnerabilities and a Mozilla baseline check. For a quick liveness-plus-tech probe across many hosts, httpx is lighter. Feed sslyze hosts from discovery and probing for full-estate TLS coverage.
Thorough shell-based TLS scanner. sslyze is faster across many hosts and emits cleaner structured output.
Fast TLS grabber for wide scopes. sslyze goes deeper on vulnerabilities and config baselines.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A host list is probed by httpx, then sslyze scans the live servers' TLS configuration and writes the report as output.
Facts on this page come from the live Trickest tool library.