TLSleuthPS v2.0.0 β Major Refactor & STARTTLS Support
Published: 28 February 2026
Version 2.0.0 of TLSleuthPS is now available on the PowerShell Gallery.
This release represents the largest internal refactor since the initial launch and introduces a highly requested capability: explicit transport support, including SMTP STARTTLS negotiation.
π Major Refactor
TLSleuthPS has undergone a significant internal redesign to improve clarity, maintainability, and extensibility.
What Changed
- Significant internal refactor to simplify and modularize helper functions\
- Improved separation of transport, handshake, and certificate extraction logic\
- Enhanced maintainability and extensibility of the TLS negotiation pipeline
Why This Matters
In previous versions, transport assumptions were tightly coupled with handshake logic. While functional, this limited extensibility.
The new architecture cleanly separates:
- Transport layer (TCP, SMTP STARTTLS, future transports)
- TLS handshake orchestration
- Certificate extraction and conversion
- Output shaping into a stable object model
This design makes it significantly easier to:
- Add new transport types
- Extend protocol support
- Maintain testability with Pester mocks
- Preserve output contract stability
Importantly, there are no breaking changes to the public output model.
β¨ New Feature: STARTTLS Support
TLSleuthPS can now retrieve certificates from SMTP servers using STARTTLS negotiation.
Previously, TLSleuth assumed implicit TLS (such as SMTPS on port 465).
With v2.0.0, you can explicitly request STARTTLS on ports like 25 or
587.
Example: Retrieve Certificate from an SMTP Server
# New in v2.0.0
Get-TLSleuthCertificate -Hostname smtp.gmail.com -Port 25 -Transport SmtpStartTls
What happens internally:
- A TCP connection is established.
- SMTP greeting is received.
- The
STARTTLScommand is issued. - The connection is upgraded to TLS.
- The certificate and negotiated TLS details are extracted.
This enables inspection of:
- SMTP servers on port 25
- Submission servers on port 587
- Any service requiring explicit TLS upgrade
π§ Architectural Improvements
Under the hood, the TLS negotiation pipeline is now layered and modular:
- Transport abstraction layer
- Handshake orchestration layer
- Certificate processing layer
- Output projection layer
This approach improves:
- Testability
- Readability
- Future protocol expansion
- Code maintainability
Unit tests remain fully mock-driven. Integration tests continue to validate real TLS handshakes.
π§ Upgrade Instructions
Update from the PowerShell Gallery:
Update-Module TLSleuth
Or install fresh:
Install-Module TLSleuth -Scope CurrentUser
Recommended runtime: PowerShell 7+
Supported: Windows PowerShell 5.1 (with reduced cipher detail).
π Whatβs Next?
The refactor in v2 lays the groundwork for future enhancements, including:
- Additional transport types
- Expanded protocol inspection
- Further handshake diagnostics
- Performance tuning improvements
β Feedback & Contributions
TLSleuthPS is open source and built for operators, engineers, and automation workflows that need fast, reliable TLS visibility.
If you find it useful:
- Leave a β on GitHub
- Open an issue for feature requests
- Submit a pull request
Thank you for supporting TLSleuthPS π