Lightning-fast TLS/SSL security scanner with web UI. Get comprehensive security analysis in seconds, not minutes.

This project began as a learning exercise to explore Claude Code's capabilities and gain hands-on experience with Go. What started as a simple goal to build a faster TLS scanner for security testing quickly evolved into something more comprehensive.

The traditional bash-based TLS scanners were painfully slow, often taking minutes to complete basic scans. Security teams need tools that match the pace of modern development - fast, API-driven, and deployable anywhere. This scanner delivers sub-second results while providing deeper analysis than most alternatives.

Built with modern security teams in mind, TLS Scanner Portal offers:

• Speed: Faster than traditional scanners - get results in milliseconds, not minutes
• Depth: Enhanced vulnerability detection using zcrypto for research-grade analysis
• Integration: REST API and WebSocket support for seamless automation
• Deployment: Docker-based architecture runs anywhere your infrastructure lives

This tool uses zcrypto, a research-focused library that intentionally disables security features.

DO NOT use this codebase for:

• ❌ Actual TLS communications or connections
• ❌ Building production services that handle TLS
• ❌ Any purpose requiring cryptographic security

The zcrypto library has safety features removed to enable testing of broken, obsolete, and insecure TLS configurations. This makes it perfect for security scanning but completely unsuitable for secure communications.

This tool is designed exclusively for:

• ✅ Security compliance scanning
• ✅ Internal infrastructure auditing
• ✅ Identifying misconfigurations before attackers do
• ✅ Monitoring certificate health and expiration

DO NOT use this tool for:

• ❌ Scanning infrastructure you don't own or have permission to test
• ❌ Exploiting discovered vulnerabilities
• ❌ Any malicious or unauthorized purposes

This is a defensive security tool - think "security team's best friend", not "scriptkiddie toyz".

If you're upgrading from a previous version, please see the Migration Guide for important database updates and new features.

git clone https://github.com/jphoke/tlsscanner cd tlsscanner # Generate a self-signed certificate for HTTPS ./scripts/generate-self-signed-cert.sh # Start the services docker compose up -d

Access the portal:

• HTTPS (recommended): https://localhost:3443
• HTTP (redirects to HTTPS): http://localhost:3000

Note: For self-signed certificates, your browser will show a security warning. This is expected - click through to accept the certificate for development/internal use.

For production deployments with trusted certificates, see INSTALL.md.

• ⚡ Faster than bash-based scanners
• 🏆 SSL Labs grading
• 📧 Automatic STARTTLS for mail servers, FTP, and more
• 🔍 Enhanced vulnerability detection with CVE tracking
  • Export cipher detection (FREAK)
  • NULL cipher detection
  • ROBOT attack detection
  • Heartbleed heuristic analysis
  • SSL v3 detection (optional deep scan)
• 🏢 Custom CA support for internal certificates
• 🌐 Modern web UI with real-time updates
• 🔒 HTTPS support with TLS 1.2/1.3
• 🔬 Powered by zcrypto for research-grade analysis

Main portal interface - Simple and intuitive scanning

Output of "expired.badssl.com" showing security issues and remediation steps

Scan results for SMTP/S Connections using STARTTLS

Default Ports:

• HTTPS: https://localhost:3443 (recommended)
• HTTP: http://localhost:3000 (redirects to HTTPS)

Enter any hostname or IP to scan:

• example.com - Standard HTTPS scan
• smtp.gmail.com:587 - SMTP with STARTTLS
• 192.168.1.1 - Internal IP addresses

Certificate Setup:

• Development/Testing: Use ./scripts/generate-self-signed-cert.sh
• Production: See INSTALL.md for Let's Encrypt or commercial certificates

# Basic scan ./tlsscanner -target example.com ./tlsscanner -target 192.168.1.1:8443 # JSON output (works with any host:port) ./tlsscanner -target smtp.gmail.com:587 -json # With custom CA certificates (for internal/corporate CAs) ./tlsscanner -target internal.company.com -ca-path /path/to/ca/certs # Deep scan including SSL v3 detection (slower) ./tlsscanner -target legacy.server.com -check-sslv3 # Batch scanning from CSV file ./tlsscanner -batch test/test-targets.csv ./tlsscanner -b test/test-targets.csv -summary # Summary only ./tlsscanner -batch test/test-targets.csv -json > results.json

# test/test-targets.csv - with header target,check_sslv3,comments google.com,N,Google main site badssl.com,N,Testing site expired.badssl.com,N,Expired cert test self-signed.badssl.com,Y,Self-signed with SSL v3 check smtp.gmail.com:587,N,Gmail SMTP with STARTTLS smtp.gmail.com:465,N,Gmail SMTP with direct TLS # Or minimal format (no header) example.com smtp.server.com:587 192.168.1.1:8443,Y 

The scanner automatically detects STARTTLS for mail ports and trusts certificates signed by CAs in the specified directory.

• Installation Options - Custom ports, CLI-only, production setup
• API Documentation - REST API integration
• Vulnerability Detection - How vulnerabilities are detected
• Contributing - Help improve the scanner

This project uses the following open source libraries:

• zcrypto - A research-focused fork of Go's crypto libraries that enables scanning of legacy and non-compliant TLS configurations. Licensed under Apache 2.0.
• ZMap Project - The team behind zcrypto and other excellent security research tools.

Special thanks to the security research community for their work in identifying and documenting TLS vulnerabilities.

• Anthropic - Seriously though - Claude Code is a game changer

MIT License - see LICENSE file for details.

This project includes third-party libraries. See THIRD-PARTY-LICENSES for details.