Transport Layer Security (TLS) is the foundation of secure communication on the Internet.
Misconfigured TLS services can expose organizations to:
- Man-in-the-Middle attacks
- Weak encryption
- Expired certificates
- Compliance violations
- Service disruptions
This tool performs a complete TLS assessment of a domain and generates a security report suitable for DevOps, DevSecOps, SRE, and Security Engineers.
- Certificate validation
- Expiration monitoring
- TLS version detection
- Cipher inspection
- Subject Alternative Names (SAN)
- Issuer verification
- Security scoring
- CI/CD integration
- Compliance-friendly reporting
- Lightweight Bash implementation
The analyzer verifies:
- Certificate validity
- Expiration date
- Remaining validity period
- Issuer information
- Subject information
- TLS versions
- Cipher suites
- Certificate chain
- Hostname validation
tls-analyzer/
├── tls-analyzer.sh
├── reports/
│ └── tls-report.txt
└── README.md
#!/usr/bin/env bash
##########################################################
# TLS Security Analyzer
#
# Author: DevSecOps Community
#
# Features:
# - Certificate validation
# - Expiration check
# - TLS protocol detection
# - Cipher inspection
# - Security score
##########################################################
set -e
DOMAIN="$1"
if [ -z "$DOMAIN" ]; then
echo "Usage:"
echo "./tls-analyzer.sh domain.com"
exit 1
fi
REPORT_DIR="./reports"
REPORT_FILE="$REPORT_DIR/tls-report.txt"
mkdir -p "$REPORT_DIR"
> "$REPORT_FILE"
SCORE=100
echo "========================================"
echo "TLS Security Analyzer"
echo "========================================"
echo ""
echo "Target Domain : $DOMAIN"
echo ""
echo "TLS Report - $(date)" >> "$REPORT_FILE"CERT=$(openssl s_client \
-connect "${DOMAIN}:443" \
-servername "$DOMAIN" \
< /dev/null 2>/dev/null)echo "$CERT" | openssl x509 -noout -subjectExample:
subject=CN=example.com
echo "$CERT" | openssl x509 -noout -issuerExample:
issuer=Let's Encrypt
EXPIRY_DATE=$(echo "$CERT" \
| openssl x509 -noout -enddate \
| cut -d= -f2)Example:
Aug 15 23:59:59 2026 GMT
EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s)
NOW=$(date +%s)
DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW) / 86400 ))if [ "$DAYS_LEFT" -lt 30 ]; then
SCORE=$((SCORE - 20))
echo "[WARNING] Certificate expires soon."
fiopenssl s_client \
-tls1_2 \
-connect "${DOMAIN}:443"openssl s_client \
-tls1_3 \
-connect "${DOMAIN}:443"if openssl s_client \
-tls1 \
-connect "${DOMAIN}:443" \
< /dev/null > /dev/null 2>&1
then
SCORE=$((SCORE - 30))
echo "[WARNING] TLS 1.0 enabled."
fiecho "$CERT" \
| openssl x509 -text -nooutUseful for auditing:
- RSA
- ECDSA
- SHA256
- SHA384
- Key Length
echo "$CERT" \
| openssl x509 -text -noout \
| grep -A1 "Subject Alternative Name"Example:
DNS:example.com
DNS:www.example.com
echo ""
echo "Security Score: $SCORE / 100"Suggested scoring:
| Score | Rating |
|---|---|
| 90-100 | Excellent |
| 80-89 | Good |
| 60-79 | Moderate |
| <60 | Weak |
if [ "$SCORE" -ge 90 ]; then
echo "Rating: Excellent"
elif [ "$SCORE" -ge 80 ]; then
echo "Rating: Good"
elif [ "$SCORE" -ge 60 ]; then
echo "Rating: Moderate"
else
echo "Rating: Weak"
fi========================================
TLS Security Analyzer
========================================
Target Domain : example.com
Certificate Subject:
CN=example.com
Issuer:
Let's Encrypt
Days Remaining:
74
TLS 1.2 Supported
TLS 1.3 Supported
Security Score:
100 / 100
Rating:
Excellent
name: TLS Verification
on:
schedule:
- cron: '0 7 * * *'
jobs:
tls-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: |
chmod +x tls-analyzer.sh
./tls-analyzer.sh example.comThis analyzer helps identify:
- Expired certificates
- Weak TLS versions
- Misconfigured certificates
- Compliance issues
- Weak cryptographic configurations
before they impact users.
Useful for:
- ISO 27001
- SOC 2
- PCI DSS
- CIS Controls
- NIST Cybersecurity Framework
This script complements:
- OpenSSL
- SSL Labs
- testssl.sh
- Qualys SSL Scanner
- Nessus
- OpenVAS
- Nmap NSE SSL Scripts
Potential improvements:
- HTML reports
- JSON export
- Slack alerts
- Teams notifications
- Certificate transparency checks
- OCSP validation
- HSTS validation
- HTTP Security Headers Audit
- Multi-domain scanning
Future enterprise capabilities:
- Bulk domain scanning
- TLS inventory management
- Certificate expiration monitoring
- Automatic ticket creation
- Compliance dashboards
- Grafana integration
- Prometheus metrics export
- Slack and Email alerting
TLS is one of the most critical security controls protecting modern applications and infrastructure.
Regular TLS assessments help identify certificate issues, weak cryptographic configurations, and compliance gaps before they become operational or security incidents.
Automating TLS verification should be part of every mature DevSecOps and infrastructure security program.