TLSleuth 1.0.0 is here — a lightweight, script-friendly PowerShell module for peeking under the hood of TLS endpoints. It’s built for operators and scripters who want fast, reliable insights without hauling in a full-blown scanner.
TL;DR highlights
Get-TLSleuthCertificate: fetch TLS handshake + certificate details- Optional chain build and revocation check
- Extract SANs, AIA, and CRL Distribution Points
- Structured, script-friendly output; verbose diagnostics
- Pester tests with mocks; optional integration tests
Why TLSleuth?
You already have great scanners (OpenSSL, testssl.sh, sslscan, sslyze). TLSleuth fills the gap when you just need to:
- confirm the negotiated protocol/cipher,
- inventory SANs, issuers, and expiry,
- sanity check a renewal across many hosts,
- or plug basic TLS checks into scripts/CI.
It returns native PowerShell objects that are easy to filter, sort, and export.
Install
Install-Module TLSleuth -Scope CurrentUser
Import-Module TLSleuth
PowerShell 7+ recommended. Windows PowerShell 5.1 works with reduced cipher detail.
Quick Start
# Fetch cert + handshake details
Get-TLSleuthCertificate -Hostname example.com
# Constrain protocol to TLS 1.2
Get-TLSleuthCertificate -Hostname example.com -TlsProtocols Tls12
# Include local chain build + revocation checks
Get-TLSleuthCertificate -Hostname example.com -IncludeChain -CheckRevocation
# Pipeline support
'github.com','microsoft.com' |
Get-TLSleuthCertificate -IncludeChain |
Select Host,Protocol,CipherSuite,@{n='PrimaryDNS';e={$_.Certificate.PrimaryDnsName}},IsTrusted
# Verbose tracing (timings per helper)
Get-TLSleuthCertificate -Hostname example.com -Verbose
If you connect by IP but need proper SNI, pass
-ServerName example.com.
Limitations (by design)
- Not a vulnerability scanner. TLSleuth shows the negotiated protocol/cipher and cert/chain info — it does not enumerate all ciphers or probe for CVEs.
- Platform-dependent visibility. On .NET 5+/PS7+, SslStream.NegotiatedCipherSuite is available; on older frameworks you’ll see algorithm names/strength instead.
- TLS 1.3 availability depends on your OS/runtime.
When you need deep probing (cipher enumeration, ALPN/H2, session resumption, CVE checks), use:
- sslyze
- sslscan
- testssl.sh TLSleuth excels as a fast pre-check and a building block in PowerShell pipelines.
Quality & Tests
- Pester unit tests with mocks (no network required)
- Optional integration tests (env-flagged) for live endpoints
- Verbose begin/complete + stopwatch per helper (-Verbose) for easy troubleshooting
Roadmap
- STARTTLS drivers (SMTP/IMAP/POP3/FTP/LDAP/XMPP)
- Best-effort protocol sweep (capture negotiated suites across TLS versions)
- Richer chain diagnostics (opt-in AIA/CRL fetch)
- More examples & export helpers (JSON/CSV) Have ideas or requests? Open an issue — contributions welcome!
If TLSleuth helps you ship or debug faster, a ⭐ on GitHub and a note about your use case would mean a lot. Happy sleuthing! 🕵️♂️🔐