Short answer
Use openssl s_client to see what a single connection negotiated; nmap --script ssl-enum-ciphers to list all suites the server accepts with a grade; testssl.sh for a thorough report that also tests for the named vulnerabilities (SWEET32, POODLE and others); and Qualys SSL Labs for a visual A–F grade you can share. The first three can test internal servers; SSL Labs requires a public domain.
1. openssl s_client — the quick check
Built in everywhere. Shows what precisely this one connection negotiated:
openssl s_client -connect example.com:443 -servername example.com
Look at Protocol :, Cipher : and Server Temp Key:. Force a specific version or cipher to test whether it is allowed:
# Does the server accept TLS 1.0? (should fail) openssl s_client -connect example.com:443 -tls1 # Does the server accept a weak cipher? (should fail) openssl s_client -connect example.com:443 -cipher 'DES-CBC3-SHA'
If the last two fail with no protocols available or handshake failure, that is good — it means the server rejects them. See also what the different handshake errors mean.
2. nmap — the full list with a grade
The best single tool to see everything a server accepts at once, and it works against internal hosts too:
nmap --script ssl-enum-ciphers -p 443 example.com
The output groups by protocol version, lists each suite and gives the server an overall grade (A–F). Any C or worse, a line with 3DES/RC4/CBC, or a TLS 1.0/1.1 section tells you exactly what to remove — see why the old ciphers are dangerous.
3. testssl.sh — the deep report
An open-source shell script that tests everything: protocols, ciphers, forward secrecy, the certificate and all the named vulnerabilities. It goes deeper than nmap and works internally too:
# Full scan testssl.sh example.com # Protocols and ciphers only testssl.sh --protocols --ciphers example.com # Only the known vulnerabilities (BEAST, POODLE, SWEET32, ...) testssl.sh --vulnerable example.com
The output colour-codes every finding, so a red NOT ok stands out. It is the most thorough free tool for a one-off audit of a single server.
4. Qualys SSL Labs — the shareable grade
The web-based scanner at ssllabs.com/ssltest gives a visual A+ to F grade with a detailed explanation, and is excellent for documenting status to management or a customer. The limitation: it can only test publicly reachable domains — internal servers are invisible to it. The result is also cached, so remember to "Clear cache" after a change.
Which tool when?
| Tool | Best for | Internal? |
|---|---|---|
| openssl s_client | Quick single check | Yes |
| nmap | The full suite list | Yes |
| testssl.sh | Deep vulnerability report | Yes |
| SSL Labs | Shareable A–F grade | No |
What one-off testing does not solve
All four tools give a snapshot of one server you remember to test. The real problem in an organisation is that configuration drifts, and nobody runs testssl against all hundred endpoints every week — least of all the internal ones. CertControl automates exactly that: it probes all your endpoints continuously (internal ones via the agent too), records protocols, cipher suites, key exchange and certificate properties, and raises a finding with severity when something falls below your baseline. The tools above are perfect for investigating one finding in depth — CertControl ensures you know the finding exists at all. Understand what the results mean in what is a cipher suite.
Frequently asked questions
Which tool is best for testing internal servers?
nmap and testssl.sh, since both can run against any host you have network access to. SSL Labs can only test public domains. openssl s_client also works internally for quick checks.
Why do SSL Labs and nmap sometimes give different grades?
They do not weight things identically, and SSL Labs caches results. Both are reliable for finding weak ciphers and protocols; use nmap/testssl for the technical detail and SSL Labs for a shareable overall grade.
How do I test whether a specific weak cipher is disabled?
Force it with openssl: openssl s_client -connect host:443 -cipher 'DES-CBC3-SHA'. If the handshake fails, the cipher is correctly rejected. If it succeeds, it is still allowed and should be removed.
Do I install testssl.sh, or is it online?
testssl.sh is a shell script you fetch from its GitHub repo and run locally — it gives the most detail and can test internal hosts. For a quick public test online, SSL Labs is the easiest.
How often should I test?
A one-off test catches the problem today, but configuration drifts. Test after every change, and use continuous scanning to keep catching the servers that fall out of baseline between manual tests.