Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.

Features • Installation • Usage • Running tlsx • Join Discord

A fast and configurable TLS grabber focused on TLS based data collection and analysis.



  • Fast And fully configurable TLS Connection
  • Multiple Modes for TLS Connection
  • Multiple TLS probes
  • Auto TLS Fallback for older TLS version
  • Pre Handshake TLS connection (early termination)
  • Customizable Cipher / SNI / TLS selection
  • JARM/JA3 TLS Fingerprint
  • TLS Misconfigurations
  • ASN,CIDR,IP,HOST, and URL input
  • STD IN/OUT and TXT/JSON output


tlsx requires Go 1.20 to install successfully. To install, just run the below command or download pre-compiled binary from release page.

go install


tlsx -h

This will display help for the tool. Here are all the switches it supports.

TLSX is a tls data gathering and analysis toolkit.

  tlsx [flags]

   -u, -host string[]  target host to scan (-u INPUT1,INPUT2)
   -l, -list string    target list to scan (-l INPUT_FILE)
   -p, -port string[]  target port to connect (default 443)

   -sm, -scan-mode string     tls connection mode to use (ctls, ztls, openssl, auto) (default "auto")
   -ps, -pre-handshake        enable pre-handshake tls connection (early termination) using ztls
   -sa, -scan-all-ips         scan all ips for a host (default false)
   -iv, -ip-version string[]  ip version to use (4, 6) (default 4)

   -san                     display subject alternative names
   -cn                      display subject common names
   -so                      display subject organization name
   -tv, -tls-version        display used tls version
   -cipher                  display used cipher
   -hash string             display certificate fingerprint hashes (md5,sha1,sha256)
   -jarm                    display jarm fingerprint hash
   -ja3                     display ja3 fingerprint hash (using ztls)
   -wc, -wildcard-cert      display host with wildcard ssl certificate
   -tps, -probe-status      display tls probe status
   -ve, -version-enum       enumerate and display supported tls versions
   -ce, -cipher-enum        enumerate and display supported cipher
   -ct, -cipher-type value  ciphers types to enumerate. possible values: all/secure/insecure/weak (comma-separated) (default all)
   -ch, -client-hello       include client hello in json output (ztls mode only)
   -sh, -server-hello       include server hello in json output (ztls mode only)
   -se, -serial             display certificate serial number

   -ex, -expired      display host with host expired certificate
   -ss, -self-signed  display host with self-signed certificate
   -mm, -mismatched   display host with mismatched certificate
   -re, -revoked      display host with revoked certificate
   -un, -untrusted    display host with untrusted certificate

   -config string               path to the tlsx configuration file
   -r, -resolvers string[]      list of resolvers to use
   -cc, -cacert string          client certificate authority file
   -ci, -cipher-input string[]  ciphers to use with tls connection
   -sni string[]                tls sni hostname to use
   -rs, -random-sni             use random sni when empty
   -rps, -rev-ptr-sni           perform reverse PTR to retrieve SNI from IP
   -min-version string          minimum tls version to accept (ssl30,tls10,tls11,tls12,tls13)
   -max-version string          maximum tls version to accept (ssl30,tls10,tls11,tls12,tls13)
   -cert, -certificate          include certificates in json output (PEM format)
   -tc, -tls-chain              include certificates chain in json output
   -vc, -verify-cert            enable verification of server certificate
   -ob, -openssl-binary string  OpenSSL Binary Path
   -hf, -hardfail               strategy to use if encountered errors while checking revocation status

   -c, -concurrency int  number of concurrent threads to process (default 300)
   -cec, -cipher-concurrency int  cipher enum concurrency for each target (default 10)
   -timeout int          tls connection timeout in seconds (default 5)
   -retry int            number of retries to perform for failures (default 3)
   -delay string         duration to wait between each connection per thread (eg: 200ms, 1s)

   -up, -update                 update tlsx to latest version
   -duc, -disable-update-check  disable automatic tlsx update check

   -o, -output string  file to write output to
   -j, -json           display output in jsonline format
   -dns                display unique hostname from SSL certificate response
   -ro, -resp-only     display tls response only
   -silent             display silent output
   -nc, -no-color      disable colors in cli output
   -v, -verbose        display verbose output
   -version            display project version

   -health-check, -hc  run diagnostic check up

Using tlsx as library

Examples of using tlsx as library are provided in the examples folder.

Running tlsx

Input for tlsx

tlsx requires ip to make TLS connection and accept multiple format as listed below:

AS1449 # ASN input # CIDR input # IP input # DNS input # DNS input with port # URL input port

Input host can be provided using -host / -u flag, and multiple values can be provided using comma-separated input, similarly file input is supported using -list / -l flag.

Example of comma-separated host input:

$ tlsx -u,,, -silent

Example of file based host input:

$ tlsx -list host_list.txt

Port Input:

tlsx connects on port 443 by default, which can be customized using -port / -p flag, single or multiple ports can be specified using comma sperated input or new line delimited file containing list of ports to connect.

Example of comma-separated port input:

$ tlsx -u -p 443,8443

Example of file based port input:

$ tlsx -u -p port_list.txt


When input host contains port in it, for example, or, port specified with host will be used to make TLS connection instead of default or one provided using -port / -p flag.

TLS Probe (default run)

This will run the tool against the given CIDR range and returns hosts that accepts tls connection on port 443.

$ echo | tlsx 

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

SAN/CN Probe

TLS certificate contains DNS names under subject alternative name and common name field that can be extracted using -san, -cn flag.

$ echo | tlsx -san -cn -silent [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] []

For ease of automation, optionally -resp-only flag can be used to list only dns names in CLI output.

$ echo | tlsx -san -cn -silent -resp-only

subdomains obtained from TLS certificates can be further piped to other PD tools for further inspection, here is an example piping tls subdomains to dnsx to filter passive subdomains and passing to httpx to list hosts running active web services.

$ echo | tlsx -san -cn -silent -resp-only | dnsx -silent | httpx

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.2.2

Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.

TLS / Cipher Probe

$ subfinder -d | tlsx -tls-version -cipher [TLS1.3] [TLS_AES_128_GCM_SHA256] [TLS1.3] [TLS_AES_128_GCM_SHA256] [TLS1.3] [TLS_AES_128_GCM_SHA256] [TLS1.3] [TLS_AES_128_GCM_SHA256] [TLS1.3] [TLS_AES_128_GCM_SHA256] [TLS1.3] [TLS_AES_128_GCM_SHA256] [TLS1.2] [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

TLS Misconfiguration

Expired / Self Signed / Mismatched / Revoked / Untrusted Certificate

A list of host can be provided to tlsx to detect expired / self-signed / mismatched / revoked / untrusted certificates.

$ tlsx -l hosts.txt -expired -self-signed -mismatched -revoked -untrusted

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage. [mismatched] [self-signed] [expired] [revoked] [untrusted]

JARM TLS Fingerprint

$ echo | tlsx -jarm -silent [29d3dd00029d29d00042d43d00041d5de67cc9954cc85372523050f20b5007]

JA3 TLS Fingerprint

$ echo | tlsx -ja3 -silent [20c9baf81bfe96ff89722899e75d0190]

JSON Output

tlsx does support multiple probe flags to query specific data, but all the information is always available in JSON format, for automation and post processing using -json output is most convenient option to use.

echo | tlsx -json -silent | jq .
  "timestamp": "2022-08-22T21:22:59.799053+05:30",
  "host": "",
  "ip": "",
  "port": "443",
  "probe_status": true,
  "tls_version": "tls13",
  "cipher": "TLS_AES_256_GCM_SHA384",
  "not_before": "2022-03-14T00:00:00Z",
  "not_after": "2023-03-14T23:59:59Z",
  "subject_dn": ", O=Internet Corporation for Assigned Names and Numbers, L=Los Angeles, ST=California, C=US",
  "subject_cn": "",
  "subject_org": [
    "Internet Corporation for Assigned Names and Numbers"
  "subject_an": [
  "issuer_dn": "CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US",
  "issuer_cn": "DigiCert TLS RSA SHA256 2020 CA1",
  "issuer_org": [
    "DigiCert Inc"
  "fingerprint_hash": {
    "md5": "c5208a47259d540a6e3404dddb85af91",
    "sha1": "df81dfa6b61eafdffffe1a250240db5d2e6cee25",
    "sha256": "7f2fe8d6b18e9a47839256cd97938daa70e8515750298ddba2f3f4b8440113fc"
  "tls_connection": "ctls",
  "sni": ""


Scan Mode

tlsx provides multiple modes to make TLS Connection -

Some pointers for the specific mode / library is highlighted in linked discussions, auto mode is supported to ensure the maximum coverage and scans for the hosts running older version of TLS by retrying the connection using ztls and openssl mode upon any connection error.

An example of using ztls mode to scan website using old / outdated TLS version.

$ echo | tlsx -port 1010 -sm ztls

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.


To use the openssl connection mode, you will need to have openssl installed on your system. Most modern systems come with openssl pre-installed, but if it is not present on your system, you can install it manually. You can check if openssl is installed by running the command openssl version. If openssl is installed, this command will display the version number.

Pre-Handshake (Early Termination)

tlsx supports terminating SSL connection early which leads to faster scanning and less connection request (disconnecting after TLS serverhello and certificate data is gathered).

For more detail, please refer to Hunting-Certificates-And-Servers by @erbbysam

An example of using -pre-handshake mode:

$ tlsx -u -pre-handshake 

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.


pre-handshake mode utilizes ztls (zcrypto/tls) which also means the support is limited till TLS v1.2 as TLS v1.3 is not supported by ztls library.

TLS Version

Minimum and Maximum TLS versions can be specified using -min-version and -max-version flags, as default these value are set by underlying used library.

The acceptable values for TLS version is specified below.

  • ssl30
  • tls10
  • tls11
  • tls12
  • tls13

Here is an example using max-version to scan for hosts supporting an older version of TLS, i.e TLS v1.0

$ tlsx -u -max-version tls10

  _____ _    _____  __
 |_   _| |  / __\ \/ /
   | | | |__\__ \>  < 
   |_| |____|___/_/\_\  v0.0.1

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

Custom Cipher

Supported custom cipher can provided using -cipher-input / -ci flag, supported cipher list for each mode is available at wiki page.

$ tlsx -u -ci TLS_AES_256_GCM_SHA384 -cipher
$ tlsx -u -ci cipher_list.txt -cipher


This program optionally uses:

  • zcrypto library from the zmap team.
  • cfssl library from the cloudflare team
  • cipher data from for ciphersuite classification

tlsx is made with ❤️ by the projectdiscovery team and distributed under MIT License.

Join Discord