Self-Hosted SSL/TLS Scanning: testssl.sh vs SSLyze vs SSLScan 2026

SSL and TLS are the backbone of secure communication on the internet. But a misconfigured server, a weak cipher suite, or an expired protocol can expose your services to man-in-the-middle attacks, data interception, and compliance failures. The question is not whether your infrastructure is secure — it is whether you can prove it.

Self-hosted SSL/TLS scanning tools let you audit every endpoint on your network without sending sensitive infrastructure data to third-party cloud scanners. In this guide, we compare the three most widely used open-source SSL/TLS scanners: testssl.sh, SSLyze, and SSLScan.

Why Self-Host Your SSL/TLS Scanning

Commercial SSL testing services like Qualys SSL Labs are convenient, but they come with significant limitations for internal infrastructure:

• External-only scanning: Cloud scanners can only reach publicly accessible endpoints. Internal services behind firewalls remain unaudited.
• Rate limiting: Public services throttle requests, making batch scanning of hundreds of hosts impractical.
• Data privacy: Sending your internal hostnames and certificate chains to external services may violate compliance requirements (SOC 2, HIPAA, PCI DSS).
• No automation integration: Self-hosted tools integrate directly into CI/CD pipelines, cron jobs, and monitoring stacks.

By running SSL/TLS scans on your own infrastructure, you maintain full control over scan frequency, target selection, and result storage — critical for organizations managing dozens or hundreds of internal services.

Tool Overview

testssl.sh — The Comprehensive Auditor

testssl.sh is the most feature-complete SSL/TLS scanner available. Written in Bash with OpenSSL as its backend, it performs an exhaustive analysis of every protocol version, cipher suite, certificate property, and known vulnerability.

Installation

1
2
3
4
5
6
7

# Install from package manager (Debian/Ubuntu)
sudo apt install testssl.sh

# Or clone the latest version from GitHub
git clone https://github.com/testssl/testssl.sh.git
cd testssl.sh
./testssl.sh --help

Docker Deployment

1
2
3
4
5
6
7
8

version: "3.8"
services:
  testssl:
    image: drwetter/testssl.sh:latest
    restart: "no"
    command: ["--jsonfile", "/output/scan-results.json", "--color", "0", "https://example.com"]
    volumes:
      - ./scan-results:/output

Run the container:

1

docker compose up --abort-on-container-exit

Key Features

• Full vulnerability database: Tests for Heartbleed, CCS injection, POODLE (SSL and TLS), DROWN, FREAK, LogJam, ROBOT, CRIME, BREACH, Sweet32, and more.
• Certificate chain analysis: Validates the full chain against Mozilla’s trust store (CA bundle), detects expired or self-signed certificates, and checks OCSP stapling support.
• Protocol ranking: Grades each protocol version (A+ through F) and provides actionable remediation guidance.
• DNS security extensions: Verifies DNSSEC signatures, DANE/TLSA records, and CAA policies.
• Batch mode: Scan multiple hosts from a file with --file targets.txt and parallelize with --parallel N.

Example Output

1

./testssl.sh --wide https://api.example.com:443

The --wide flag produces tabular output that is easier to parse programmatically. For CI/CD integration, combine with --jsonfile and --color 0:

1
2

./testssl.sh --jsonfile /tmp/api-scan.json --color 0 --quiet https://api.example.com
echo $?  # Exit code 0 = no issues, non-zero = vulnerabilities found

SSLyze — The Developer’s Scanner

SSLyze is a Python-based SSL/TLS scanner designed for speed and programmatic access. It uses asynchronous I/O and a plugin architecture that makes it ideal for integration into automated testing pipelines.

Installation

1
2
3
4
5

# Install via pip
pip3 install sslyze

# Or install from system packages (Debian/Ubuntu)
sudo apt install sslyze

Docker Deployment

1
2
3
4
5
6
7
8

version: "3.8"
services:
  sslyze:
    image: nablac0d3/sslyze:latest
    restart: "no"
    entrypoint: ["sslyze", "--json_out", "/output/sslyze-results.json", "example.com:443"]
    volumes:
      - ./scan-results:/output

Key Features

• Plugin architecture: Modular scans for certificate info, cipher suites, vulnerabilities, and protocol support. Each plugin runs independently and can be enabled or disabled.
• Asynchronous scanning: Scans multiple targets concurrently using Python’s asyncio, making it significantly faster than sequential tools for large target lists.
• Programmatic API: SSLyze exposes a Python API that lets you embed scanning directly into your applications:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

from sslyze import (
    Scanner,
    ServerScanRequest,
    ScanCommand,
    ScanCommandsExtraData,
)

# Create a scanner with thread pool
scanner = Scanner()

# Queue a scan request
scanner.queue_scans([
    ServerScanRequest(
        hostname="api.example.com",
        port=443,
        tls_wrapped_protocol="https",
    )
])

# Retrieve results
for result in scanner.get_results():
    print(f"Target: {result.server_location.hostname}")
    if result.scan_result.heartbleed:
        print(f"  Heartbleed vulnerable: {result.scan_result.heartbleed.is_vulnerable_to_heartbleed()}")

• STARTTLS support: Built-in support for SMTP, XMPP, LDAP, FTP, and PostgreSQL STARTTLS upgrades.
• Output formats: JSON (detailed), CSV (summary), and XML (legacy compatibility).

Quick Scan Example

1
2
3
4

sslyze --regular example.com:443

# Parallel scan of multiple hosts
sslyze --json_out results.json example.com:443 api.example.com:443 mail.example.com:587

SSLScan — The Lightweight Classic

SSLScan is a C-based scanner that prioritizes speed and simplicity. It is the lightest of the three tools, making it suitable for embedded systems, CI runners with limited resources, and quick reconnaissance tasks.

Installation

1
2
3
4
5
6
7
8

# Debian/Ubuntu
sudo apt install sslscan

# Alpine
sudo apk add sslscan

# macOS (Homebrew)
brew install sslscan

Docker Deployment

1
2
3
4
5
6
7
8

version: "3.8"
services:
  sslscan:
    image: ghcr.io/rbsec/sslscan:latest
    restart: "no"
    command: ["--xml=-", "--json=-", "example.com:443"]
    volumes:
      - ./scan-results:/output

Note: SSLScan does not have an official Docker Hub image. The GitHub Container Registry image is maintained by the project author. For production use, you can build from source:

1
2
3
4
5
6
7
8

FROM alpine:3.21
RUN apk add --no-cache gcc musl-dev make openssl-dev zlib-dev git
RUN git clone https://github.com/rbsec/sslscan.git /src/sslscan \
    && cd /src/sslscan \
    && make static \
    && mv sslscan /usr/local/bin/sslscan \
    && rm -rf /src
ENTRYPOINT ["sslscan"]

Key Features

• Speed: Being compiled C, SSLScan is the fastest of the three tools for single-target scans. It typically completes a full scan in under 5 seconds for a well-configured server.
• Minimal dependencies: Only requires OpenSSL libraries. No Python runtime, no Bash interpreter complexity.
• Clean output: XML, CSV, and JSON output with consistent schema. The --xml=- flag writes XML to stdout for easy piping.
• Cipher suite mapping: Maps each supported cipher to its IANA name, OpenSSL name, and security strength (bits).

Quick Scan Example

1
2
3
4
5

# Full scan with JSON output
sslscan --json --no-colour example.com:443 > scan-results.json

# Focus on accepted ciphers only
sslscan --cipher-details --no-colour example.com:443 | grep "Accepted"

Head-to-Head Comparison

Scan Speed (10 Hosts, 10 Threads)

Vulnerability Detection Coverage

Compliance Reporting

For PCI DSS, SOC 2, or HIPAA compliance audits, testssl.sh is the clear winner. Its HTML and JSON reports include protocol grades, cipher strength classifications, and explicit pass/fail markers for each compliance check. SSLyze produces machine-readable JSON suitable for custom report generation, while SSLScan’s output requires post-processing for compliance purposes.

Which Tool Should You Choose?

Choose testssl.sh if:

• You need the most comprehensive vulnerability coverage
• Compliance reporting (PCI DSS, SOC 2, HIPAA) is a requirement
• You want a single tool that covers SSL, TLS, DNSSEC, DANE, and CAA
• You are comfortable with Bash and OpenSSL dependencies

Choose SSLyze if:

• You need to integrate SSL scanning into a Python application or CI/CD pipeline
• Speed matters more than exhaustive vulnerability testing
• You want programmatic access via the Python API
• You need STARTTLS support for multiple protocols (SMTP, XMPP, LDAP)

Choose SSLScan if:

• You need a lightweight, fast scanner for quick assessments
• You are running on resource-constrained systems (embedded, minimal containers)
• You want minimal dependencies (just OpenSSL)
• You need a simple tool for ad-hoc reconnaissance

Automation: Scheduled Scanning Pipeline

For ongoing infrastructure security monitoring, combine SSLyze (speed) or testssl.sh (depth) with a scheduled pipeline:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# docker-compose.yml — SSL/TLS scanning pipeline
version: "3.8"
services:
  ssl-scanner:
    image: nablac0d3/sslyze:latest
    restart: "no"
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        echo "Starting SSL/TLS scan at $$(date -u)"
        while IFS= read -r host; do
          echo "Scanning $$host..."
          sslyze --json_out "/scans/$$(date +%Y%m%d)-$$host.json" "$$host"
        done < /etc/ssl-targets.txt
        echo "Scan complete. Results in /scans/"
    volumes:
      - ./scan-results:/scans
      - ./targets.txt:/etc/ssl-targets.txt:ro

Create a targets file:

1
2
3
4

api.example.com:443
mail.example.com:587
ldap.example.com:636
db.example.com:5432

Schedule with cron:

1
2

# Run weekly SSL/TLS scans every Sunday at 02:00 UTC
0 2 * * 0 cd /opt/ssl-scanner && docker compose up --abort-on-container-exit >> /var/log/ssl-scan.log 2>&1

FAQ

What is the difference between testssl.sh, SSLyze, and SSLScan?

testssl.sh is the most comprehensive scanner, testing for the widest range of vulnerabilities and protocol issues. SSLyze is Python-based with async I/O for fast parallel scanning and a programmatic API. SSLScan is a lightweight C tool optimized for speed and minimal resource usage. All three are free, open-source, and self-hosted.

Can these tools scan internal servers behind a firewall?

Yes. Since all three tools run locally on your infrastructure, they can scan any server reachable from the host where they are installed — including internal services behind firewalls, private networks, and air-gapped environments. This is a key advantage over cloud-based SSL testing services.

Which tool is best for PCI DSS compliance auditing?

testssl.sh is the best choice for PCI DSS compliance. It provides protocol grades, explicit pass/fail markers for each vulnerability check, and HTML/JSON reports that auditors can review directly. Its coverage of POODLE SSL, DROWN, and deprecated cipher suites aligns with PCI DSS scanning requirements.

Do these tools work with non-HTTPS protocols?

Yes. All three tools support STARTTLS upgrades for SMTP, XMPP, LDAP, FTP, and PostgreSQL. SSLyze has the most comprehensive STARTTLS support with dedicated plugins for each protocol. testssl.sh supports the widest range including RDP and IMAP.

How often should I run SSL/TLS scans?

For production infrastructure, run full scans weekly and quick scans daily after any certificate or configuration change. Automated scans should be part of your CI/CD pipeline — scan before deploying any TLS-related configuration change.

Can I integrate these scanners into my CI/CD pipeline?

Yes. SSLyze has a native Python API that can be called directly from Python-based CI scripts. testssl.sh produces exit codes (0 = pass, non-zero = fail) and JSON output suitable for pipeline integration. SSLScan can output JSON or XML that CI tools can parse and evaluate.

Are these tools safe to run against production servers?

Generally yes. These tools perform passive protocol negotiation and cipher enumeration — they do not exploit vulnerabilities or send malicious payloads. However, intensive scanning can increase server load temporarily. For production systems, schedule scans during maintenance windows and monitor server resources.

For related reading, see our TLS certificate automation guide, certificate monitoring and expiry alerting comparison, and self-hosted vulnerability scanner comparison.