SSL/TLS protocol templates

SSL/TLS protocol templates allow you to inspect SSL/TLS certificates, test cipher suites, detect vulnerabilities, and validate TLS configurations.

Basic SSL request

A simple SSL probe to check certificate information:

id: basic-ssl-probe

info:
  name: Basic SSL Certificate Check
  author: pdteam
  severity: info

ssl:
  - address: "{{Host}}:{{Port}}"
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"

SSL request components

Address

address

string

required

Target host and port to probe. Uses {{Host}}:{{Port}} for dynamic targeting.

ssl:
  - address: "{{Host}}:{{Port}}"

Or specify explicitly:

ssl:
  - address: "example.com:443"

TLS version control

Minimum version

min_version

string

Minimum TLS version to use.Options: sslv3, tls10, tls11, tls12, tls13

ssl:
  - address: "{{Host}}:{{Port}}"
    min_version: tls12

Maximum version

max_version

string

Maximum TLS version to allow.

ssl:
  - address: "{{Host}}:{{Port}}"
    max_version: tls12

Test for specific TLS versions

id: tls10-detection

info:
  name: TLS 1.0 Detection
  author: pdteam
  severity: low
  description: Detects servers still supporting deprecated TLS 1.0

ssl:
  - address: "{{Host}}:{{Port}}"
    min_version: tls10
    max_version: tls10
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
          - "tls_version == 'tls10'"
        condition: and

Cipher suite testing

Specific ciphers

cipher_suites

array

List of cipher suites to test.

ssl:
  - address: "{{Host}}:{{Port}}"
    cipher_suites:
      - "TLS_RSA_WITH_RC4_128_SHA"
      - "TLS_RSA_WITH_3DES_EDE_CBC_SHA"

Enumerate ciphers

tls_cipher_enum

boolean

default:false

Enumerate all supported cipher suites.

ssl:
  - address: "{{Host}}:{{Port}}"
    tls_cipher_enum: true
    tls_cipher_types:
      - insecure
      - weak

tls_cipher_types

array

Types of ciphers to enumerate.Options: insecure, weak, secure, all

ssl:
  - address: "{{Host}}:{{Port}}"
    tls_cipher_enum: true
    tls_cipher_types:
      - insecure
      - weak

Version enumeration

tls_version_enum

boolean

default:false

Enumerate all supported TLS versions.

ssl:
  - address: "{{Host}}:{{Port}}"
    tls_version_enum: true

Scan modes

scan_mode

string

TLS scanning mode.Options: auto, ctls, ztls, openssl

ssl:
  - address: "{{Host}}:{{Port}}"
    scan_mode: ztls

SSL response data

SSL templates expose extensive certificate and connection data:

Certificate information

subject_cn

string

Certificate subject common name

extractors:
  - type: dsl
    dsl:
      - subject_cn

subject_org

string

Certificate subject organization

subject_dn

string

Certificate subject distinguished name

issuer_cn

string

Certificate issuer common name

issuer_org

string

Certificate issuer organization

issuer_dn

string

Certificate issuer distinguished name

Validity period

not_before

timestamp

Certificate validity start date

matchers:
  - type: dsl
    dsl:
      - "not_before > now()"

not_after

timestamp

Certificate expiration date

matchers:
  - type: dsl
    dsl:
      - "(not_after - now()) < 2592000"  # Expires in 30 days

Other fields

serial

string

Certificate serial number

fingerprint_hash

string

Certificate fingerprint hash

domains

array

List of domains in certificate (CN + SANs)

cipher

string

Negotiated cipher suite

tls_version

string

Negotiated TLS version

tls_connection

string

TLS connection type

probe_status

boolean

Whether the SSL probe succeeded

Example: Certificate expiration check

id: ssl-cert-expiring

info:
  name: SSL Certificate Expiring Soon
  author: pdteam
  severity: medium
  description: Detects SSL certificates expiring within 30 days

ssl:
  - address: "{{Host}}:{{Port}}"
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
          - "(not_after - now()) < 2592000"  # 30 days in seconds
        condition: and
    
    extractors:
      - type: dsl
        dsl:
          - subject_cn
          - '(not_after - now()) / 86400'  # Days until expiration

Example: Self-signed certificate detection

id: ssl-self-signed

info:
  name: Self-Signed SSL Certificate
  author: pdteam
  severity: low
  description: Detects self-signed SSL certificates

ssl:
  - address: "{{Host}}:{{Port}}"
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
          - "subject_dn == issuer_dn"
        condition: and
    
    extractors:
      - type: dsl
        dsl:
          - subject_cn
          - issuer_cn

Example: Weak cipher detection

id: ssl-weak-cipher

info:
  name: Weak SSL Cipher Suite
  author: pdteam
  severity: medium
  description: Detects use of weak or insecure cipher suites

ssl:
  - address: "{{Host}}:{{Port}}"
    tls_cipher_enum: true
    tls_cipher_types:
      - insecure
      - weak
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
    
    extractors:
      - type: dsl
        name: weak_ciphers
        dsl:
          - cipher

Example: Multiple TLS versions

id: ssl-multi-version-check

info:
  name: TLS Version Support Matrix
  author: pdteam
  severity: info
  description: Checks which TLS versions are supported

ssl:
  - address: "{{Host}}:{{Port}}"
    min_version: tls10
    max_version: tls10
  
  - address: "{{Host}}:{{Port}}"
    min_version: tls11
    max_version: tls11
  
  - address: "{{Host}}:{{Port}}"
    min_version: tls12
    max_version: tls12
  
  - address: "{{Host}}:{{Port}}"
    min_version: tls13
    max_version: tls13
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
    
    extractors:
      - type: dsl
        dsl:
          - tls_version

Example: Domain validation

id: ssl-domain-mismatch

info:
  name: SSL Certificate Domain Mismatch
  author: pdteam
  severity: medium
  description: Detects SSL certificates with domain mismatches

ssl:
  - address: "{{Host}}:{{Port}}"
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
          - "!contains(domains, Host)"
        condition: and
    
    extractors:
      - type: dsl
        dsl:
          - subject_cn
          - 'join(",", domains)'

Matchers for SSL

DSL matchers

Most SSL matching is done with DSL:

matchers:
  # Check if probe succeeded
  - type: dsl
    dsl:
      - "probe_status == true"
  
  # Check TLS version
  - type: dsl
    dsl:
      - "tls_version == 'tls13'"
  
  # Check cipher
  - type: dsl
    dsl:
      - "contains(cipher, 'AES')"
  
  # Check expiration
  - type: dsl
    dsl:
      - "(not_after - now()) < 86400"  # Less than 1 day
  
  # Check self-signed
  - type: dsl
    dsl:
      - "subject_dn == issuer_dn"
  
  # Check organization
  - type: dsl
    dsl:
      - "contains(tolower(subject_org), 'test')"

Extractors for SSL

extractors:
  # Extract subject CN
  - type: dsl
    name: certificate_cn
    dsl:
      - subject_cn
  
  # Extract all domains
  - type: dsl
    name: certificate_domains
    dsl:
      - 'join(",", domains)'
  
  # Extract days until expiration
  - type: dsl
    name: days_until_expiry
    dsl:
      - '(not_after - now()) / 86400'
  
  # Extract issuer
  - type: dsl
    name: issuer
    dsl:
      - issuer_org
  
  # Extract TLS info
  - type: dsl
    name: tls_info
    dsl:
      - 'tls_version + " - " + cipher'

Complete examples

id: ssl-cert-expired

info:
  name: Expired SSL Certificate
  author: pdteam
  severity: high

ssl:
  - address: "{{Host}}:{{Port}}"
    
    matchers:
      - type: dsl
        dsl:
          - "probe_status == true"
          - "not_after < now()"
        condition: and

Testing tips

Test SSL templates

Use -debug for detailed SSL information:

nuclei -t ssl-template.yaml -u example.com:443 -debug

Scan multiple ports

echo "example.com:443" | nuclei -t ssl-template.yaml
echo "example.com:8443" | nuclei -t ssl-template.yaml

Check local services

nuclei -t ssl-template.yaml -u localhost:443

Common use cases

Expiration monitoring

Alert on certificates expiring soon

Weak crypto

Detect outdated TLS versions and ciphers

Self-signed certs

Identify self-signed certificates

Domain validation

Verify certificate matches hostname

Next steps

Network protocol

TCP-based service testing

Helper functions

DSL functions for SSL

Matchers

Complete matcher reference

Best practices

Template quality guidelines

Getting Started with Templates

Protocol Types

Template Features

Template Best Practices

​Basic SSL request

​SSL request components

​Address

​TLS version control

​Minimum version

​Maximum version

​Test for specific TLS versions

​Cipher suite testing

​Specific ciphers

​Enumerate ciphers

​Version enumeration

​Scan modes

​SSL response data

​Certificate information

​Validity period

​Other fields

​Example: Certificate expiration check

​Example: Self-signed certificate detection

​Example: Weak cipher detection

​Example: Multiple TLS versions

​Example: Domain validation

​Matchers for SSL

​DSL matchers

​Extractors for SSL

​Complete examples

​Testing tips

​Common use cases

Expiration monitoring

Weak crypto

Self-signed certs

Domain validation

​Next steps

Network protocol

Helper functions

Matchers

Best practices

Build docs developers (and LLMs) love

Basic SSL request

SSL request components

Address

TLS version control

Minimum version

Maximum version

Test for specific TLS versions

Cipher suite testing

Specific ciphers

Enumerate ciphers

Version enumeration

Scan modes

SSL response data

Certificate information

Validity period

Other fields

Example: Certificate expiration check

Example: Self-signed certificate detection

Example: Weak cipher detection

Example: Multiple TLS versions

Example: Domain validation

Matchers for SSL

DSL matchers

Extractors for SSL

Complete examples

Testing tips

Common use cases

Next steps