__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

sslyze Cheatsheet

← Back to cheatsheets

← Home

SSLyze is a fast and powerful SSL/TLS scanning tool. It analyzes SSL/TLS configuration to detect misconfigurations, weak ciphers, and vulnerabilities like Heartbleed, ROBOT, and more.

Basic Usage

  • sslyze <hostname> - Basic scan
  • sslyze <hostname>:<port> - Scan specific port
  • sslyze --targets_in=hosts.txt - Scan from file

Scan Commands

  • --sslv2 - Check for SSLv2 support
  • --sslv3 - Check for SSLv3 support
  • --tlsv1 - Check for TLSv1.0 support
  • --tlsv1_1 - Check for TLSv1.1 support
  • --tlsv1_2 - Check for TLSv1.2 support
  • --tlsv1_3 - Check for TLSv1.3 support

Vulnerability Scans

  • --heartbleed - Test for Heartbleed vulnerability
  • --openssl_ccs - Test for OpenSSL CCS Injection
  • --robot - Test for ROBOT vulnerability
  • --fallback - Test for TLS Fallback SCSV
  • --reneg - Test for session renegotiation
  • --resum - Test for session resumption
  • --early_data - Test for TLS 1.3 early data

Certificate Checks

  • --certinfo - Certificate and chain information

Cipher Suites

  • --http_headers - Check security headers (HSTS, etc.)
  • --compression - Test for TLS compression (CRIME)
  • --elliptic_curves - Supported elliptic curves

Output Options

  • --json_out=file.json - JSON output
  • --quiet - Quiet mode (less output)
  • --mozilla_config - Compare against Mozilla config

Connection Options

  • --slow_connection - Longer timeouts for slow connections
  • --https_tunnel=proxy:port - Use HTTPS proxy
  • --starttls=protocol - Use STARTTLS (smtp, imap, etc.)
  • --xmpp_to=domain - For XMPP STARTTLS
  • --sni=hostname - Server Name Indication

STARTTLS Protocols

  • smtp - SMTP STARTTLS
  • xmpp - XMPP STARTTLS
  • xmpp_server - XMPP Server STARTTLS
  • ftp - FTP STARTTLS
  • pop3 - POP3 STARTTLS
  • imap - IMAP STARTTLS
  • ldap - LDAP STARTTLS
  • rdp - RDP STARTTLS
  • postgres - PostgreSQL STARTTLS

Common Examples

Full Scan

sslyze example.com

Complete SSL/TLS analysis.

Specific Port

sslyze example.com:8443

Scan non-standard HTTPS port.

Check All Protocol Versions

sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 --tlsv1_3 example.com

Test all SSL/TLS versions.

Vulnerability Check

sslyze --heartbleed --robot --openssl_ccs example.com

Check for common vulnerabilities.

Certificate Info

sslyze --certinfo example.com

Get certificate details.

SMTP STARTTLS

sslyze --starttls=smtp mail.example.com:25

Test mail server TLS.

JSON Output

sslyze --json_out=results.json example.com

Save results as JSON.

Multiple Targets

sslyze --targets_in=hosts.txt --json_out=results.json

Scan multiple hosts from file.

Check Security Headers

sslyze --http_headers example.com

Check HSTS and other headers.

Mozilla Compliance

sslyze --mozilla_config=intermediate example.com

Compare against Mozilla recommended config.

What to Look For

Bad (Vulnerabilities)

  • SSLv2 or SSLv3 enabled
  • TLSv1.0 or TLSv1.1 enabled
  • Heartbleed vulnerable
  • ROBOT attack vulnerable
  • Weak cipher suites (RC4, DES, etc.)
  • Expired/invalid certificates
  • Missing HSTS header
  • TLS compression enabled (CRIME)

Good (Secure Config)

  • Only TLSv1.2 and TLSv1.3
  • Strong cipher suites only
  • Valid certificate chain
  • HSTS enabled with long max-age
  • Forward secrecy (ECDHE/DHE)

Tips

  • Run full scans to get complete picture
  • Use JSON output for automated processing
  • Check mail servers with STARTTLS option
  • Compare against Mozilla configurations
  • Disable SSLv2, SSLv3, TLSv1.0, TLSv1.1
  • Use strong ciphers only
  • Great for compliance checks (PCI-DSS, etc.)
  • Combine with testssl.sh for comprehensive testing

← Back to cheatsheets

← Home