Module 04 · SSL/TLS¶
Flag: --skip-ssl
Info
This module is automatically skipped if the target is served over plain HTTP. In that case, a HIGH finding is raised: "Target is served over HTTP (no TLS)".
Checks performed¶
Protocol support¶
Flags deprecated and vulnerable protocols:
| Protocol | Severity |
|---|---|
| SSLv2 | HIGH |
| SSLv3 | HIGH |
| TLS 1.0 | HIGH |
| TLS 1.1 | HIGH |
| TLS 1.2 | ✅ Acceptable |
| TLS 1.3 | ✅ Preferred |
Cipher suites¶
Flags weak or broken ciphers:
- RC4, NULL, EXPORT, anonymous (anon), DES, 3DES → HIGH
Certificate validity¶
| Condition | Severity |
|---|---|
| Certificate expired | CRITICAL |
| Expires in < 14 days | CRITICAL |
| Expires in < 30 days | HIGH |
| Expires in < 90 days | MEDIUM |
| Self-signed / untrusted | HIGH |
HSTS¶
| Condition | Severity |
|---|---|
| HSTS header absent | MEDIUM |
max-age < 15552000 (6 months) | LOW |
Tool priority¶
- testssl.sh — comprehensive analysis, JSON output parsed automatically
- sslscan — protocol and cipher enumeration
- openssl — fallback, manual protocol checks