SSL Labs on the command line

Call Us 0800 107 7979

Service Status

Back to knowledgebase

Last updated: 23 March 2021

In our article about checking the health of SSL certificates we used Qualys’ online SSL Labs checker. If you prefer the command line and know how to parse JSON then you’ll be delighted to know that you can perform the same check using the ssllabs-scan utility.

The utility is particularly useful if you want to automate testing and/or check multiple websites. It has some other neat options, such as checking SSL certificates for websites that aren’t publicly available. To give you an idea of how to use the utility I’ll check the catalyst2.com certificate.

As containers are all the rage I’ll run ssllabs-scan in a Podman container. You don’t have to use a container, and you can of course use Docker instead of Podman (simply replace podman with docker in the commands that follow).

Download the Docker image

The first step is to download (pull) the Docker image. It’s a very small image (just over 5MB):

$ podman pull jumanjiman/ssllabs-scan:latest
✔ docker.io/jumanjiman/ssllabs-scan:latest
Trying to pull docker.io/jumanjiman/ssllabs-scan:latest...
Getting image source signatures
Copying blob 2b3390b5d16d done  
Copying blob 6836ab1d7e3b done  
Copying blob 6e53f611f3e5 done  
Copying config 2a46bf22e3 done  
Writing manifest to image destination
Storing signatures
2a46bf22e388c2e6cfecc877c3a1039249f93d3f961a9fcb2d89c488f8e10709

$ podman images
REPOSITORY                                     TAG     IMAGE ID      CREATED       SIZE
registry.fedoraproject.org/f33/fedora-toolbox  33      af1f279fed20  2 months ago  351 MB
docker.io/jumanjiman/ssllabs-scan              latest  2a46bf22e388  9 months ago  5.68 MB

Scan options

Next, I run the container to check the catalyst2.com certificate. By default, you get a few status messages followed by the IP address, the certificate rating and a huge blob of JSON. If you just want to know the headlines then you can add the --quiet and --grade options. The former option disables status messages and the latter returns just the hostname, IP address and rating:

$ podman run --rm -it jumanjiman/ssllabs-scan:latest --quiet --grade catalyst2.com
HostName:"catalyst2.com"
"84.18.210.139":"A"

If you want all the information then you can use the --quiet option and redirect the output to a JSON file:

$ podman run --rm -it jumanjiman/ssllabs-scan:latest --quiet https://catalyst2.com > catalyst2.com.json

You can now parse the JSON file. For instance, you can use the jq utility to get specific bits of data:

$ jq '.[].endpoints[].grade' catalyst2.com.json
"A"

$ jq '.[].endpoints[].ipAddress' catalyst2.com.json
"84.18.210.139"

$ jq '.[].host' test.json
"https://catalyst2.com"

$ jq '.[].endpoints[].details.protocols' catalyst2.com.json
[
  {
    "id": 771,
    "name": "TLS",
    "version": "1.2"
  },
  {
    "id": 772,
    "name": "TLS",
    "version": "1.3"
  }
]

Other command line tools

Depending on what information you need the ssllabs-scan utility might be overkill. For instance, if you just want to check if a website can be accessed via HTTPS then you can use curl instead:

$ curl -IL https://example.net
curl: (60) SSL certificate problem: self signed certificate
...

openssl s_client

You can also use openssl to get more information about a certificate:

$ openssl s_client -connect example.net:443
CONNECTED(00000003)
depth=0 CN = example.net, O = Examples Rock, L = Exampleville, C = GB, ST = Exampleshire
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = example.net, O = Examples Rock, L = Exampleville, C = GB, ST = Exampleshire
verify return:1
---
Certificate chain
 0 s:CN = example.net, O = Examples Rock, L = Exampleville, C = GB, ST = Exampleshire
   i:CN = example.net, O = Examples Rock, L = Exampleville, C = GB, ST = Exampleshire
---
...
SSL handshake has read 1617 bytes and written 385 bytes
Verification error: self signed certificate
...
Verify return code: 18 (self signed certificate)
...

Clearly, a self-signed certificate can’t be trusted. example.net in Exampleville isn’t a recognised certificate authority! Here’s an example of a certificate that does validate:

$ openssl s_client -connect catalyst2.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
verify return:1
depth=0 CN = www.catalyst2.com
verify return:1
---
Certificate chain
 0 s:CN = www.catalyst2.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
...
SSL handshake has read 3298 bytes and written 387 bytes
Verification: OK
...
Verify return code: 0 (ok)
...

Checking TLS support

You can also use openssl s_client to check what TLS versions a server supports. For instance, you can check if SSL3 is disabled:

$ openssl s_client -connect catalyst2.com:443 -ssl3
CONNECTED(00000003)
140485809567552:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
...

In case you’re wondering, SSL3 is a security nightmare that should be disabled. It’s not secure, so not having support for the protocol is a good thing. In the same way you can check if a server supports TLS 1.2 (which it should):

$ openssl s_client -connect catalyst2.com:443 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
verify return:1
depth=0 CN = www.catalyst2.com
verify return:1
---
Certificate chain
 0 s:CN = www.catalyst2.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
...

Unfortunately, you can’t simply list all TLS versions supported by a server. To check all TLS versions you need to run multiple commands:

$ openssl s_client -connect catalyst2.com:443 -ssl3
$ openssl s_client -connect catalyst2.com:443 -tls1
$ openssl s_client -connect catalyst2.com:443 -tls1_1
$ openssl s_client -connect catalyst2.com:443 -tls1_2
$ openssl s_client -connect catalyst2.com:443 -tls1_3

Featured Blogs

Identifying Common Server Issues and How to Avoid Them

22nd July 2024

By catalyst2 Team

To maintain a smooth operation of any online business or digital service you need a server that is efficient and that you can rely on. Here at catalyst2 we understand the challenges that businesses face daily; purely to keep their business alive so the challenges that are faced in addition to this when server issues …

Read Article

Why Server Backups are a Safety Net in the Digital World

15th July 2024

By catalyst2 Team

Data is the foundation for businesses as it provides insights into customer behaviour and trends, as well as business performance and efficiency. So, businesses have the tools they need to make informed decisions and plan strategically. For businesses that are just starting out or that are smaller, data is a catalyst to help identify growth …

Read Article

What are Flexible Servers and When are They Beneficial?

10th July 2024

By catalyst2 Team

The word ‘server’ is frequently used in everyday discussions in IT departments within organisations, but unless you work in the tech industry, you might not be familiar with what it really means. A server is the backbone of all digital operations. It is there to manage tasks like data storage, processing requests, delivering content across …

Read Article

Why Server Uptime Matters for Your Business Website

4th July 2024

By catalyst2 Team

While many businesses still have physical workspaces or brick-and-mortar stores, the importance of a digital presence shouldn’t be overlooked. In addition to using things like social media channels to boost your brand awareness and interact with your customers, having a website offers several benefits. In today’s digital world, the performance of your website is crucial …

Read Article

How to Protect Your Website Against Digital Disasters

27th June 2024

By catalyst2 Team

More so than ever before, having a high-performing website is essential to the ongoing success of a business. Regardless of which industry you operate in, a website is a powerful tool that can improve brand recognition, drive growth and support customer engagement. Not to mention, it allows for online sales and can remove geographical barriers …

Read Article

Does a Server Impact Website Traffic?

23rd May 2024

By catalyst2 Team

Regardless of which industry sector you operate in or what type of products and services you offer, having a website is non-negotiable in today’s digital world. More so than ever before, people turn to the internet to find businesses that can assist them with their specific needs and if you don’t have a website, you …

Read Article

A Beginner’s Guide to Managing Your Website Server

17th May 2024

By catalyst2 Team

When it comes to website management, there is a key component that business owners often overlook; server management. Your website server plays a crucial role in your online presence, it facilitates the delivery of your web pages to users and without a server, your website simply wouldn’t be visible online. So, it’s crucial to ensure …

Read Article

Exploring the Costs Associated With a Website

14th February 2024

By catalyst2 Team

In the digital age, getting a website is more than just a way to build an online presence, it’s a vital business investment. Not only do large retail businesses need a website, but smaller local businesses can also benefit from taking their business online. Recognising this importance, many businesses are now dedicating significant resources towards …

Read Article

The Importance of Dedicated Servers for E-Commerce Websites

26th January 2024

By catalyst2 Team

In the fast-paced world of e-commerce, having a reliable website is an essential factor in success. Whether you also have a brick-and-mortar store or solely a digital shop, ensuring your website is performing at its best can have a direct impact on your bottom line. Factors such as website uptime, ease of navigation and speed …

Read Article

Things to Consider During a Website Review

10th January 2024

By catalyst2 Team

Designing a website requires careful consideration and several reviews during the development stages to ensure everything is perfect. Once live, it can be easy to assume that no further updates are needed and your website will continue to perform well, however, this isn’t always the case. Regularly reviewing your website is essential to ensure its …

Read Article

What our clients say

Everything is fine, thank you. The queries I had were dealt with in a prompt, professional and truly friendly manner! I have never experienced such superb service from any other supplier!

You guys and Catalyst2 are awesome!

Kan Parekh, WSI

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_5562310_11	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_ashkii	session	No description available.
_wicasa	3 months	No description available.
AnalyticsSyncHistory	1 month	No description
cookid	3 months	No description available.
cookietest	session	No description
crisp-client/domain-detect/1644827320973	session	No description
crisp-client/domain-detect/1644827348275	session	No description
crisp-client/domain-detect/1644827428415	session	No description
crisp-client/domain-detect/1644827479357	session	No description
crisp-client/domain-detect/1644827596454	session	No description
crisp-client/domain-detect/1644827724838	session	No description
crisp-client/domain-detect/1644827824383	session	No description
crisp-client/domain-detect/1644827878659	session	No description
crisp-client/domain-detect/1644828716243	session	No description
crisp-client/domain-detect/1644828846246	session	No description
crisp-client/domain-detect/1644829369013	session	No description
crisp-clientsession30cc6953-ebcf-4bc6-b649-c44eb446409e	6 months	No description
dbmFP	3 months	No description available.
dbmPK	3 months	No description available.
li_gc	2 years	No description

SSL Labs on the command line

Download the Docker image

Scan options

Other command line tools

openssl s_client

Checking TLS support

Featured Blogs

What our clients say

Everything is fine, thank you. The queries I had were dealt with in a prompt, professional and truly friendly manner! I have never experienced such superb service from any other supplier! You guys and Catalyst2 are awesome!

Kan Parekh, WSI

Everything is fine, thank you. The queries I had were dealt with in a prompt, professional and truly friendly manner! I have never experienced such superb service from any other supplier!

You guys and Catalyst2 are awesome!