10 Free SSL / TLS Diagnostic Tools for the Webmaster

Original author: Chandan Kumar
  • Transfer
You are often forced to solve SSL / TLS issues if you are working as a web engineer, webmaster or system administrator.

There are many online tools for working with SSL certificates , testing weaknesses in the SSL / TLS protocols, but when it comes to testing the internal network based on the URL, VIP, IP, then they are unlikely to be useful. To diagnose internal network resources, you need separate software / tools that you can install on your network and perform the necessary checks. Various scenarios are possible, for example:








The following tools will be helpful in troubleshooting such problems.

Open source tools to troubleshoot SSL / TLS issues:


  1. Deepviolet
  2. SSL Diagnos
  3. SSLyze
  4. Openssl
  5. SSL Labs Scan
  6. SSL Scan
  7. Test SSL
  8. TLS Scan
  9. Cipher scan
  10. SSL Audit

1. DeepViolet


DeepViolet is a Java / SSL-based SSL / TLS analysis tool, available in binary code, and you can also compile it from source code.

If you are looking for an alternative to SSL Labs for use on the internal network, DeepViolet would be a good choice. It scans the following:

  • using weak encryption;
  • weak signature algorithm;
  • certificate revocation status;
  • certificate validity status ;
  • visualization of chain of trust, self-signed root certificate.

2. SSL Diagnos


Quickly assess the reliability of SSL on your website. SSL Diagnos analyzes the SSL protocol, encryption algorithms, vulnerabilities Heartbleed , BEAST.

Not only used for HTTPS, you can check the stability of SSL for SMTP, SIP, POP3 and FTPS.

3. SSLyze


SSLyze is a Python library and command-line tools that connect to the SSL endpoint and scan to detect any missed SSL / TLS configuration.

Scanning through SSLyze is fast because the verification is distributed across multiple processes. If you are a developer or want to integrate into your existing application, then you have the opportunity to write the result in XML or JSON format.

SSLyze is also available in Kali Linux .

4. OpenSSL


Do not underestimate OpenSSL - one of the most powerful stand-alone tools available for Windows or Linux to perform various tasks related to SSL, such as verification, generating CSR, converting certificate formats , etc.

5. SSL Labs Scan


Love Qualys SSL Labs? You are not alone - I like it too.

If you are looking for a command line tool for SSL Labs for automated or mass testing, then SSL Labs Scan will certainly be useful.

6. SSL Scan


SSL Scan is compatible with Windows, Linux and Mac. SSL Scan helps to quickly determine the following indicators:

  • backlight SSLv2 / SSLv3 / CBC / 3DES / RC4 encryption;
  • reporting weak (<40 bits), zero or unknown encryption;
  • check TLS compression, Heartbleed vulnerability;
  • and much moreā€¦

If you are working on problems related to encryption, then SSL Scan will be a useful tool to speed up troubleshooting.

7. Test SSL


As the name implies, TestSSL is a command line tool that is compatible with Linux and other OS. He checks all the most important indicators and shows what is in order and what is not.

for example
Testing protocols via sockets except SPDY+HTTP2

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN h2, spdy/3.1, http/1.1 (advertised)
HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)

Testing ~standard cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)

Testing server preferences

Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD, 256 bit ECDH (P-256)
Cipher order
TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA
TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-CHACHA20-POLY1305-OLD
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 AES256-GCM-SHA384
AES256-SHA AES256-SHA256

Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=EDF8A1A3D0FFCBE0D6EA4C44DB5F4BE1A7C2314D1458ADC925A30AA6235B9820 could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA
AES256-SHA DES-CBC3-SHA
VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)


As you can see, it covers a large number of vulnerabilities, encryption preferences, protocols, etc.

TestSSL.sh is also available in the Docker image .

8. TLS Scan


You can build TLS-Scan from source code or download binary code for Linux / OSX. It extracts information from the certificate from the server and displays the following indicators in JSON format:

  • hostname verification;
  • TLS compression test;
  • Verification of the version numbering of encryption and TLS;
  • check reuse sessions.

It supports TLS, SMTP, STARTTLS and MySQL protocols. You can also integrate the results into a log analyzer , for example, such as Splunk, ELK.

9. Cipher Scan


A quick tool to analyze which types of encryption are supported on websites using the HTTPS protocol. Cipher Scan also provides the ability to display results in JSON format. This is a shell using the OpenSSL package commands.

10. SSL Audit


SSL Audit is an open source tool for certificate verification and protocol support, encryption and standards based on SSL Labs.

I hope that the open source tools mentioned above will help you integrate continuous scanning into your current log analyzers and facilitate troubleshooting.


Go to VPS.today - a site for searching virtual servers. 1500 tariffs from 130 hosters, convenient interface and a large number of criteria for finding the best virtual server.


Also popular now: