TLS/SSL scanning tools for security professionals and developers

Documentation | Changes from Upstream | DeepViolet API

DeepVioletTools is a suite of TLS/SSL security scanning tools with graphical and command-line interfaces. It consumes the DeepViolet API to scan HTTPS servers and analyze certificate trust chains, revocation status, cipher suite strength, and security headers.

java -jar dvui.jar

Scan any HTTPS server and get a detailed TLS security report with risk assessment, certificate chain analysis, cipher suite enumeration, and more.

Ask questions about your scan results using the built-in AI assistant. Supports OpenAI, Anthropic, and local Ollama models. Configure your provider and API key in System > Settings > AI.

Scan multiple targets concurrently and compare results with heat map visualizations. Supports hostnames, IPs, CIDR blocks (10.0.1.0/24), IPv6, and dash ranges (10.0.2.1-50). Configurable worker threads (1–10) and throttle delay.

Save scan reports in multiple formats: text, HTML, PDF, or JSON.

# Full scan
java -jar dvcli.jar -serverurl https://www.github.com/

# Specific sections (t=header, c=connection, s=certificate, f=fingerprint)
java -jar dvcli.jar -serverurl https://www.github.com/ -s tcsf

# Export certificate to PEM
java -jar dvcli.jar -serverurl https://www.github.com/ -wc ~/certs/github.pem

# Multi-target scan with concurrent workers
java -jar dvcli.jar --scan "github.com,google.com,example.com" --scan-threads 4

# Multi-target scan from file
java -jar dvcli.jar --scan-file targets.txt --scan-threads 4 -o scan-report.json

# Validate DV API results against openssl
java -jar dvcli.jar --validate google.com
java -jar dvcli.jar --validate expired.badssl.com

Example: java -jar dvcli.jar -serverurl https://github.com/ -s aecsf

• TLS Risk Assessment — YAML-driven scoring engine with 65 rules across 7 categories, numeric score, letter grade, and visual category breakdown. Supports user-defined risk rules merged with system rules.
• Certificate Analysis — Trust chains, validity, expiration, public key details (algorithm, size, EC curve), SAN enumeration, signing algorithms, OIDs
• Cipher Suite Enumeration — All supported ciphers with strength evaluation (IANA, OpenSSL, GnuTLS, or NSS naming). Replaceable cipher map via custom YAML definitions.
• Revocation Checking — OCSP, OCSP Stapling, CRL, OneCRL, Must-Staple, Certificate Transparency (SCT signature verification from embedded, TLS extension, and OCSP staple sources)
• Security Headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and more
• TLS Probe Fingerprinting — JARM-inspired 10-probe fingerprinting that characterizes server TLS behavior for grouping and change detection
• DNS Security — CAA and DANE/TLSA record checking
• Fallback SCSV — RFC 7507 TLS Fallback Signaling detection
• Multi-Target Scanning — Scan multiple targets concurrently with configurable worker threads (1–10), throttle delay, and CIDR/range expansion. Supports hostnames, IPv4/IPv6, CIDR blocks, and dash ranges.
• Heat Map Visualization — 7-dimension color-coded grids comparing scan results across hosts (Risk, Ciphers, Security Headers, Connection, HTTP Response, Revocation, Fingerprint)
• AI Assistant — Ask questions about scan results using OpenAI, Anthropic, or local Ollama models
• Multi-format Export — Save reports as text, HTML, PDF, or JSON
• Card Layout Editor — Drag-and-drop grid editor for customizing scan host cards: element placement, multi-cell spanning, cell alignment (Shift+click), resizable grid proportions, and live card preview
• Theme Support — Dark, light, and system presets with full color customization
• Configurable Engine — Choose report sections, cipher naming convention, and protocol versions via System > Settings
• Test Server Library — Quick access to badssl.com test servers and recent scan history
• API Validation — Compare DV API results against openssl field-by-field for any server; verify accuracy with expired, self-signed, and EC certificate test cases
• PEM Export/Import — Save and analyze certificates offline

• Java 21 or later

git clone https://github.com/spoofzu/DeepVioletTools.git
cd DeepVioletTools
mvn clean package

Produces two uber JARs in target/:

• dvui.jar — GUI application
• dvcli.jar — Command-line tool

A dev Maven profile activates automatically when the sibling DeepViolet API has been built locally (../DeepViolet/target/classes exists). This makes it easy to toggle between testing local API changes and the latest production release:

# In ../DeepViolet/
mvn install          # Builds DV API → activates dev profile in Tools (uses local SNAPSHOT)
mvn clean            # Removes target/ → deactivates dev profile (Tools grabs latest from Maven Central)

See docs/DeepVioletTools.md for comprehensive documentation including JSON schema reference, vulnerability analysis details, and troubleshooting.

This tool implements ideas, code, and takes inspiration from: Qualys SSL Labs and Ivan Ristic, OpenSSL, Oracle's Java Security Team, and Thomas Pornin. Bundled monospace fonts by IBM Corp., The JetBrains Mono Project Authors, and The Mozilla Foundation and Telefonica S.A. AI coding assistance by Claude Code AI.

Apache License, Version 2.0

This project leverages the works of other open source community projects and is provided for educational purposes. Use at your own risk.

The author is an employee of Oracle Corporation. This project is a personal endeavor and is not affiliated with, sponsored by, or endorsed by Oracle. All views and code are the author's own.