Inspect a host's TLS configuration and certificate. tlsaudit probes which TLS versions a server accepts, reports the negotiated cipher and certificate details, and grades the result, flagging weak protocols, untrusted or expiring certificates, and a missing HSTS header. Standard library only.
python tlsaudit.py example.com
python tlsaudit.py example.com:8443
python tlsaudit.py example.com --json$ python tlsaudit.py github.com
tlsaudit github.com:443
grade A (100/100)
protocols
TLS 1.0 no
TLS 1.1 no
TLS 1.2 enabled
TLS 1.3 enabled
negotiated TLSv1.3, TLS_AES_128_GCM_SHA256 (128-bit)
certificate
subject github.com
issuer Sectigo Limited
expires Aug 2 23:59:59 2026 GMT (40 days)
sans github.com, www.github.com
- Protocol support: forces a handshake at TLS 1.0, 1.1, 1.2, and 1.3 and reports
which the server accepts (older protocols the local OpenSSL can't negotiate
are marked
untestable). - Negotiated cipher and its key strength.
- Certificate: subject, issuer, SANs, validity window, days to expiry.
- Findings: TLS 1.0/1.1 enabled (high), sub-128-bit cipher (high), untrusted or self-signed certificate (high), expired (high) or soon-to-expire (medium) certificate, and a missing HSTS header (low).
Exit code is 1 when any high-severity issue is found.
tlsaudit.py
test_protocol one handshake per TLS version (min == max version)
get_certificate verified handshake for cert details; falls back to a
no-verify handshake to still report protocol/cipher
cert_summary parse subject/issuer/SAN/dates from getpeercert()
audit / grade collect findings, compute score
Certificate field access depends on a verified handshake, so for an untrusted certificate tlsaudit reports the verification error rather than full details.
Python 3.9+, network access. No third-party packages.
MIT