From aldeid
Jump to navigation Jump to search
You might also see: Watobo, SSL checker plugin


SSLScan is a fast SSL port scanner. It connects to SSL ports and determines what ciphers are supported, which are the servers preferred ciphers, which SSL protocols are supported and returns the SSL certificate. Client certificates / private key can be configured and output is to text / XML.


$ sudo apt-get install sslscan


Basic syntax

$ sslscan [Options] [host:port | host]


A file containing a list of hosts to check. Hosts can be supplied with ports (i.e. host:port).
List only accepted ciphers (default is to listing all ciphers).
Only check SSLv2 ciphers.
Only check SSLv3 ciphers.
Only check TLSv1 ciphers.
A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape).
The password for the private key or PKCS#12 file.
A file containing PEM/ASN1 formatted client certificates.
If a STARTTLS is required to kick an SMTP service into action.
Test a HTTP connection.
Enable SSL implementation bug workarounds.
Output results to an XML file.
Display the program version.
Display the help text you are now reading.


$ sslscan
           ___ ___| |___  ___ __ _ _ __                                                              
          / __/ __| / __|/ __/ _` | '_ \                                                             
          \__ \__ \ \__ \ (_| (_| | | | |                                                            
          |___/___/_|___/\___\__,_|_| |_|                                                            
                  Version 1.8.2                                                                      
        Copyright Ian Ventura-Whiting 2009                                                           
Testing SSL server on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2  56 bits   DES-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3  56 bits   DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3  40 bits   EXP-RC4-MD5
    Rejected  SSLv3  0 bits    NULL-SHA
    Rejected  SSLv3  0 bits    NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1  56 bits   DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1  40 bits   EXP-RC4-MD5
    Rejected  TLSv1  0 bits    NULL-SHA
    Rejected  TLSv1  0 bits    NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-SHA
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    Not valid before: Dec 18 00:00:00 2009 GMT
    Not valid after: Dec 18 23:59:59 2011 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Basic Constraints: critical
      X509v3 CRL Distribution Points: 

      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
      Authority Information Access: 
        OCSP - URI:
        CA Issuers - URI:

  Verify Certificate:
    unable to get local issuer certificate