A fast, portable TLS/SSL security scanner built for red teamers and penetration testers. Detects deprecated protocol versions, weak cipher suites, missing downgrade protection, and certificate expiry — with colour-coded CLI output and a ready-to-share Excel report.
Built and tested on Kali Linux. Requires Python 3.8+ and OpenSSL CLI.
| Check | Severity | Detail |
|---|---|---|
| SSLv2 | 🔴 CRITICAL | RFC 6176 — completely broken |
| SSLv3 | 🔴 CRITICAL | CVE-2014-3566 POODLE |
| TLS 1.0 | 🔴 CRITICAL | CVE-2011-3389 BEAST / RFC 8996 |
| TLS 1.1 | 🟠 HIGH | RFC 8996 — deprecated |
| TLS_FALLBACK_SCSV | 🟠 HIGH | RFC 7507 — downgrade protection |
| Weak Ciphers | 🟡 WEAK | NULL, EXPORT, RC4, 3DES/SWEET32, RC2, Anonymous DH, MD5 MAC, Weak CBC |
| Certificate Expiry | 🔴/🟡 | EXPIRED / ≤30d CRITICAL / ≤90d WARNING |
- IANA cipher names displayed alongside OpenSSL names (e.g.
TLS_RSA_WITH_3DES_EDE_CBC_SHA) - CVE references and weakness reason for every finding
- Bulk scanning from a target file — one IP or hostname per line
- Excel report with 3 sheets: Summary, By Vulnerability (IPs grouped per finding), Stats
- Exit codes for CI/CD pipeline integration
────────────────────────────────────────────────────────────────────────
GROUPED RESULTS
────────────────────────────────────────────────────────────────────────
[CRITICAL] SSLv2 : [all good]
[CRITICAL] SSLv3 : [all good]
[CRITICAL] TLS 1.0 : ENABLED → 34.8.27.99
[HIGH] TLS 1.1 : ENABLED → 34.8.27.99
[HIGH] TLS_FALLBACK_SCSV : [all good]
WEAK CIPHER RESULTS
────────────────────────────────────────────────────────────────────────
[WEAK] TLS_RSA_WITH_3DES_EDE_CBC_SHA
OpenSSL: DES-CBC3-SHA [DES/3DES]
↳ 3DES 112-bit effective — SWEET32 (CVE-2016-2183), SHA-1 MAC
→ 34.8.27.99, sftpam.example.com
sftpam.example.com (27.118.33.229) :443
✔ SSLv2 OK
✔ SSLv3 OK
✖ TLS 1.0 ENABLED CVE-2011-3389 BEAST / RFC 8996
✖ TLS 1.1 ENABLED RFC 8996
✔ TLS_FALLBACK_SCSV OK
⚠ Weak Ciphers TLS_RSA_WITH_AES_256_CBC_SHA (OpenSSL: AES256-SHA)
↳ RSA key exchange (no PFS), AES-256-CBC, SHA-1 MAC
✔ Cert CN sftpam.example.com issuer: DigiCert Inc
✔ Cert Expiry Jan 5 23:59:59 2027 GMT [299d remaining] [OK]
Three sheets generated automatically:
- Summary — one row per host, all checks colour-coded
- By Vulnerability — IPs bucketed per finding (copy-paste for reports)
- Stats — finding counts at a glance
# Python 3.8+
python3 --version
# OpenSSL CLI (used for SCSV probe + cert parsing)
openssl version
# Python dependency
pip install openpyxlNote:
openpyxlis only required if you use--outto generate Excel reports. The scanner runs without it for CLI-only output.
git clone https://github.com/Mu3htak/tls_scanner.git
cd tls_scanner
pip install openpyxlpython3 tls_scanner.py 192.168.1.1
python3 tls_scanner.py honey.scanme.sh
python3 tls_scanner.py 10.0.0.5 --port 8443python3 tls_scanner.py targets.txt
python3 tls_scanner.py targets.txt --out report.xlsx
python3 tls_scanner.py targets.txt --no-detail --out report.xlsx target IP, hostname, or path to target file
--port / -p TCP port (default: 443)
--timeout / -t Seconds per probe (default: 5)
--out / -o FILE Save Excel report to FILE (.xlsx)
--no-detail Grouped summary only — skip per-host table
# One IP or hostname per line
# Lines starting with # are ignored
192.168.1.1
10.0.0.5
honey.scanme.sh
api.example.com
| Code | Meaning |
|---|---|
0 |
No vulnerabilities found |
1 |
One or more vulnerabilities found |
2 |
Bad arguments / usage error |
Useful for CI/CD:
python3 tls_scanner.py targets.txt && echo "All clean" || echo "Vulnerabilities found"| Check | Method |
|---|---|
| SSLv2 | Raw TCP ClientHello (Python ssl module dropped SSLv2 support) |
| SSLv3 | Raw TCP ClientHello |
| TLS 1.0 / 1.1 | Python ssl module with pinned minimum_version / maximum_version |
| TLS_FALLBACK_SCSV | openssl s_client -fallback_scsv -tls1_1 subprocess — identical to sslscan |
| Weak Ciphers | Python ssl with @SECLEVEL=0 and weak cipher string, checks accepted suite |
| Certificate | getpeercert(binary_form=True) DER bytes → openssl x509 subprocess parse |
SCSV detection note: A raw socket probe fails on modern OpenSSL 3.x servers because they reject malformed ClientHellos with Alert 40 (handshake_failure) regardless of SCSV. The openssl s_client subprocess approach uses SSL_MODE_SEND_FALLBACK_SCSV internally, producing a valid handshake — matching sslscan's exact behaviour.
| Category | Examples | Risk |
|---|---|---|
| NULL | TLS_RSA_WITH_NULL_SHA |
No encryption |
| EXPORT | TLS_RSA_EXPORT_WITH_RC4_40_MD5 |
FREAK attack |
| RC4 | TLS_RSA_WITH_RC4_128_SHA |
Biased keystream |
| DES/3DES | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
SWEET32 CVE-2016-2183 |
| RC2 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |
FREAK attack |
| Anonymous DH | TLS_DH_anon_WITH_AES_128_CBC_SHA |
No server authentication |
| MD5 MAC | TLS_RSA_WITH_NULL_MD5 |
Collision attacks |
| Weak CBC | TLS_RSA_WITH_AES_256_CBC_SHA |
No PFS, SHA-1 MAC |
This tool is intended for authorised security testing only.
Only scan systems you own or have explicit written permission to test.
The author is not responsible for any misuse or damage caused by this tool.
MIT License — see LICENSE