Skip to main content

tls-scan

The tls-scan tool is a fast TLS/SSL configuration scanner designed for automated security workflows within Canva, specializing in cipher and protocol enumeration. It efficiently assesses TLS configurations to identify potential vulnerabilities, contributing to enhanced security posture.

Ideal Use Cases & Fit

tls-scan is ideal for scenarios where rapid assessment of TLS/SSL implementations is required. It excels in contexts such as:

  • Initial reconnaissance of domains to evaluate their SSL/TLS security configurations.
  • Compliance checks to ensure that servers adhere to current security standards.
  • Testing for weaknesses in cipher suites and supported protocols.

It is not suitable for use in environments where deep packet inspection or application-layer analysis is necessary.

Value in Workflows

In security workflows, tls-scan adds significant value by providing early reconnaissance capabilities and contributing to vulnerability assessments. Positioned at the front end of a security assessment workflow, it enhances situational awareness concerning TLS configurations, enabling teams to prioritize remediation efforts effectively.

Input Data

The tls-scan tool expects a newline-separated list of domains or IP addresses as input. The input type is required and used to specify the target hosts for scanning.

Example:

example.com
example2.com

Configuration

  • starttls: Specifies the STARTTLS protocol (smtp, imap, etc.). Useful for testing multiple protocols.
  • ciphers: Defines specific ciphers to use. Overrides the SSL/TLS version settings if specified.
  • cipher-enum: Enables enumeration of supported ciphers.
  • show-unsupported: Displays unsupported ciphers in the output report.
  • version-enum: Enables enumeration of supported TLS versions.
  • session-reuse: Allows SSL session reuse to optimize performance.
  • all: Enables enumeration for both versions and ciphers.
  • alpn: Comma-separated list of ALPN protocol identifiers for the ClientHello message.
  • sni: Sets the TLS extension server name in ClientHello.
  • timeout: Configures the timeout duration for each connection in seconds.
  • port: Defines the port for scanning, defaulting to 443.