How to Audit SSL/TLS on Linux — The Complete Guide

Misconfigured SSL costs more than a certificate renewal. Expired certs, weak ciphers, missing HSTS — these are the things that silently break trust and trigger browser warnings at the worst possible time.

This guide shows you how to audit SSL/TLS from the command line on any Linux server, and how to automate it so you never miss a misconfiguration again.

The manual way: openssl + curl

Check certificate expiry

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -dates

Output:

notBefore=Jan 13 00:00:00 2025 GMT
notAfter=Feb 12 23:59:59 2026 GMT

Check the full certificate chain

echo | openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null

Look for:

• depth=0: your certificate
• depth=1: intermediate CA
• depth=2: root CA

A missing intermediate is the most common issue — browsers may fill the gap, but API clients and curl won't.

Check supported TLS versions

# Test TLS 1.0 (should fail on a properly configured server)
openssl s_client -connect example.com:443 -tls1 2>&1 | head -5

# Test TLS 1.2
openssl s_client -connect example.com:443 -tls1_2 2>&1 | head -5

# Test TLS 1.3
openssl s_client -connect example.com:443 -tls1_3 2>&1 | head -5

If TLS 1.0 or 1.1 succeeds, your server is accepting deprecated protocols.

Check cipher suites

nmap --script ssl-enum-ciphers -p 443 example.com

Watch for:

• DES, RC4, 3DES — broken, must be removed
• CBC mode ciphers with TLS < 1.3 — vulnerable to BEAST/POODLE
• No AEAD ciphers — missing GCM/ChaCha20

Check HSTS header

curl -sI https://example.com | grep -i strict-transport

Expected:

strict-transport-security: max-age=31536000; includeSubDomains; preload

Missing HSTS means browsers won't enforce HTTPS after the first visit.

Check OCSP stapling

echo | openssl s_client -connect example.com:443 -status 2>/dev/null \
  | grep -A 5 "OCSP Response"

If you see OCSP Response Status: successful, stapling is working. If not, the browser has to contact the CA on every connection — slower and a privacy leak.

The problem with manual checks

Each of these commands checks one thing. A proper SSL audit needs all of them, plus HTTP-to-HTTPS redirect verification, certificate chain validation, cipher strength scoring, HSTS preload list cross-reference, and an overall security grade.

Doing this manually takes 10-15 minutes per domain. For 20 servers, that's half a day.

The automated way: NetForge

One command, full report:

netforge ssl example.com

Output:

NetForge SSL/TLS -> example.com

  i  TLS 1.2, TLS 1.3
  ok Certificate valid - expires in 287 days
  ok Full chain present (3 certificates)
  ok HSTS enabled (max-age=31536000)
  ok HSTS Preload: in preload list
  ok OCSP Stapling: active
  !  TLS 1.2 still enabled (consider TLS 1.3 only)
  ok No weak ciphers detected

  Score: 92/100 - low risk

What it checks in one pass:

• Certificate validity, chain completeness, key strength
• TLS protocol versions (flags 1.0/1.1 as critical)
• Cipher suite analysis (flags weak/deprecated ciphers)
• HSTS presence, max-age, includeSubDomains, preload status
• OCSP stapling
• HTTP to HTTPS redirect
• Overall score with risk classification

JSON output for scripting

netforge ssl example.com --json | jq '.score, .grade'

Pipe it into monitoring, Slack alerts, or CI/CD pipelines.

Full audit — SSL + everything else

netforge audit example.com

Runs SSL, DNS, headers, mail (SPF/DKIM/DMARC), port scan, cookie security, CSP, CORS, clickjacking, open redirect, and path probe. One command, weighted score across all modules.

Fix what you find

NetForge includes an SSL Config Generator that produces hardened configurations for nginx, Apache, HAProxy, and Lighttpd — based on Mozilla's SSL guidelines.

Choose Modern (TLS 1.3 only) or Intermediate (TLS 1.2 + 1.3), and get a drop-in config file with the right ciphers, HSTS headers, and OCSP stapling already configured.