Why TLS Analysis Matters
TLS (Transport Layer Security) is the backbone of internet security, protecting data in transit across billions of connections daily. As quantum computing advances, the cryptographic algorithms underlying TLS face an existential threat.
TLS Analyzer helps you understand:
- Protocol versions - Which TLS versions are supported (1.0, 1.1, 1.2, 1.3)
- Cipher suites - What encryption algorithms are in use
- Key exchange - Whether forward secrecy is enabled
- Certificate details - Signature algorithms, key sizes, expiration
- Quantum risk - How vulnerable are your connections to future quantum attacks
What is TLS Analyzer
TLS Analyzer is an open-source security assessment tool that scans TLS/SSL endpoints and evaluates them against modern security standards and the CNSA 2.0 quantum-readiness timeline.
CNSA 2.0 Timeline Assessment
Tracks compliance against NSA's Commercial National Security Algorithm Suite 2.0 milestones from 2025-2035.
Quantum Risk Scoring
Evaluates vulnerability to harvest-now-decrypt-later attacks with clear risk levels and remediation guidance.
Multiple Output Formats
Generate reports in text, JSON, SARIF (GitHub Security), HTML, and CycloneDX CBOM for compliance.
Policy-Based Scanning
Define custom policies in YAML or use built-in presets (modern, intermediate, strict) for consistent enforcement.
Getting Started
Installation
Install TLS Analyzer using Go:
# Install via Go
go install github.com/csnp/qramm-tls-analyzer/cmd/tlsanalyzer@latest
# Or clone and build from source
git clone https://github.com/csnp/qramm-tls-analyzer.git
cd qramm-tls-analyzer
go build -o tlsanalyzer ./cmd/tlsanalyzerBasic Usage
Scan a single target:
# Scan a host (default port 443)
tlsanalyzer scan example.com
# Scan a specific port
tlsanalyzer scan example.com:8443
# Scan multiple targets
tlsanalyzer scan example.com api.example.com mail.example.comCommon Options
# Output as JSON
tlsanalyzer scan example.com --format json
# Generate HTML report
tlsanalyzer scan example.com --format html --output report.html
# Generate SARIF for GitHub Security
tlsanalyzer scan example.com --format sarif --output results.sarif
# Generate Cryptographic Bill of Materials
tlsanalyzer scan example.com --format cbom --output tls-cbom.json
# Apply a security policy
tlsanalyzer scan example.com --policy strict
# Batch scan from file
tlsanalyzer scan --targets hosts.txtCNSA 2.0 Timeline
The Commercial National Security Algorithm Suite (CNSA) 2.0 establishes a timeline for transitioning to quantum-resistant cryptography. TLS Analyzer tracks your compliance against these milestones:
2025: Preparation Phase
Begin inventory of cryptographic assets. Start planning migration to quantum-resistant algorithms. TLS 1.2+ should be baseline.
2027: Software/Firmware Signing
Transition to quantum-resistant algorithms for software and firmware signing (ML-DSA, SLH-DSA).
2030: Web/Cloud Services
Quantum-resistant TLS for web browsers, cloud services, and key establishment (ML-KEM hybrid modes).
2033: Traditional Networking
VPNs, routers, and legacy systems must support quantum-resistant algorithms.
2035: Full Transition
Complete migration to CNSA 2.0 algorithms. Classical algorithms deprecated for National Security Systems.
Security Grading System
TLS Analyzer assigns letter grades based on protocol support, cipher strength, certificate quality, and quantum readiness:
| Grade | Score | Meaning |
|---|---|---|
| A+ | 95-100 | Excellent security posture with quantum-ready or hybrid key exchange |
| A | 90-94 | Strong configuration with TLS 1.3 and modern cipher suites |
| B | 80-89 | Good security but may have minor issues or outdated protocols |
| C | 65-79 | Acceptable but significant improvements recommended |
| D | 50-64 | Weak configuration with known vulnerabilities |
| F | 0-49 | Critical vulnerabilities or severely outdated configuration |
Scoring Factors
- Protocol Support (25%) - TLS 1.3 preferred, TLS 1.0/1.1 penalized
- Cipher Strength (25%) - Forward secrecy, key sizes, deprecated algorithms
- Certificate Quality (25%) - Signature algorithm, key size, chain validity
- Quantum Readiness (25%) - Hybrid key exchange, PQC algorithm support
Output Formats
HTML Reports
Generate professional HTML reports for stakeholder communication:
tlsanalyzer scan example.com --format html --output tls-report.htmlHTML reports include visual grade indicators, detailed findings, and remediation recommendations.
SARIF (GitHub Security Integration)
SARIF integrates directly with GitHub's Security tab for automated scanning:
tlsanalyzer scan example.com --format sarif --output results.sarifCBOM (Cryptographic Bill of Materials)
Generate CycloneDX-compatible CBOMs for compliance and supply chain transparency:
tlsanalyzer scan example.com --format cbom --output tls-cbom.jsonCBOMs document all cryptographic components discovered during the scan, including algorithms, key sizes, and protocol versions.
Policy-Based Scanning
Built-in Policies
# List available policies
tlsanalyzer policies
# Apply the strict policy
tlsanalyzer scan example.com --policy strict
# Apply the modern policy
tlsanalyzer scan example.com --policy modernCustom Policies
Define custom policies in YAML for organization-specific requirements:
# my-policy.yaml
name: corporate-standard
description: Corporate TLS requirements
rules:
protocol:
min_version: "TLS 1.2"
required: ["TLS 1.3"]
forbidden: ["TLS 1.0", "TLS 1.1", "SSL 3.0"]
cipher_suites:
required_features:
- forward_secrecy
forbidden_algorithms:
- 3DES
- RC4
- MD5
min_key_size: 256
certificate:
max_days_to_expiry: 90
min_key_size: 2048
forbidden_signature_algorithms:
- SHA1withRSA
- MD5withRSAApply your custom policy:
tlsanalyzer scan example.com --policy-file my-policy.yamlCI/CD Integration
GitHub Actions
name: TLS Security Scan
on:
schedule:
- cron: '0 6 * * 1' # Weekly on Monday
workflow_dispatch:
jobs:
tls-scan:
runs-on: ubuntu-latest
steps:
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Install TLS Analyzer
run: go install github.com/csnp/qramm-tls-analyzer/cmd/tlsanalyzer@latest
- name: Scan Production Endpoints
run: |
tlsanalyzer scan \
api.example.com \
app.example.com \
--format sarif \
--output tls-results.sarif \
--policy modern
- name: Upload SARIF Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tls-results.sarifGitLab CI
tls-security-scan:
image: golang:1.21
stage: security
script:
- go install github.com/csnp/qramm-tls-analyzer/cmd/tlsanalyzer@latest
- tlsanalyzer scan $PRODUCTION_HOSTS --format json --output tls-report.json
artifacts:
reports:
security: tls-report.json
only:
- schedulesReady to Assess Your TLS Security?
Get started with TLS Analyzer today - scan your endpoints for quantum readiness and CNSA 2.0 compliance.
View on GitHub Take QRAMM AssessmentRelated Resources
- CryptoScan Guide - Discover cryptographic assets in your codebase
- NIST PQC Standards Guide - Understanding the standardized algorithms
- Crypto Agility - Building flexibility into cryptographic systems
- Harvest Now, Decrypt Later - Understanding the HNDL threat