Home

Awesome

sslscan2

sslscan version 2 has now been released. This includes a major rewrite of the backend scanning code, which means that it is no longer reliant on the version of OpenSSL for many checks. This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against.

This has been made possible largely by the work of jtesta, who has been responsible for most of the backend rewrite.

Other key changes include:

XML Output Changes

A potentially breaking change has been made to the XML output in version 2.0.0-beta4. Previously, multiple <certificate> elements could be returned (one by default, and a second one if --show-certificate was used).

The key changes are:

If you are using the XML output, then you may need to make changes to your parser.

README

ci

This is a fork of ioerror's version of sslscan (the original readme of which is included below) by rbsec (robin@rbsec.net).

Key changes are as follows:

Building on Linux

It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy sslscan binary (file size, memory consumption, etc.), this allows some additional checks such as TLS compression.

To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies. The commands below can be used to do this on Debian. If you don't have them already, you will need to enable the deb-src repos in your apt config. sslscan was primarily developed on Debian, so if you are compiling on other distributions your mileage may vary.

apt-get install build-essential git zlib1g-dev
apt-get build-dep openssl

Then run

make static

This will clone the OpenSSL repository, and configure/compile/test OpenSSL prior to compiling sslscan.

Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile). For more information on this, see Modifying Build Settings in the OpenSSL wiki.

You can verify whether you have a statically linked OpenSSL version, by checking whether the version listed by sslscan --version has the -static suffix.

Building with Docker

Ensure that you local Docker installation is functional, and the build the container with:

make docker

Or manually with:

docker build -t sslscan:sslscan .

You can then run sslscan with:

docker run --rm -ti sslscan:sslscan --help

Building on Windows

Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.

Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.

Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page.

Building on OS X

There is experimental support for statically building on OS X, however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on OS X. Once you have, just run:

make static

Original (ioerror) README

This is a fork of sslscan.c to better support STARTTLS.

The original home page of sslscan is:

http://www.titania.co.uk

sslscan was originally written by:

Ian Ventura-Whiting

The current home page of this fork (until upstream merges a finished patch) is:

http://www.github.com/ioerror/sslscan

Most of the pre-TLS protocol setup was inspired by the OpenSSL s_client.c program. The goal of this fork is to eventually merge with the original project after the STARTTLS setup is polished.

Some of the OpenSSL setup code was borrowed from The Tor Project's Tor program. Thus it is likely proper to comply with the BSD license by saying: Copyright (c) 2007-2010, The Tor Project, Inc.