Quantum-Ready TLS Security Assessment Tool
Quick Start • Features • Installation • Usage • Output Formats • Policies • Contributing
QRAMM TLS Analyzer is an open-source command-line tool that performs comprehensive TLS security analysis with a focus on post-quantum cryptography (PQC) readiness. As quantum computing advances, organizations must prepare their cryptographic infrastructure for the post-quantum era. This tool helps you understand your current TLS posture and provides actionable guidance for CNSA 2.0 compliance.
Part of the QRAMM (Quantum Readiness Assurance Maturity Model) toolkit, developed by the Cyber Security Non-Profit (CSNP).
⚠️ Responsible Use WarningThis tool performs active network connections to analyze TLS configurations. Only scan systems and domains you own or have explicit written authorization to test. Unauthorized scanning may violate laws and regulations in your jurisdiction. The authors assume no liability for misuse of this tool.
- Harvest Now, Decrypt Later (HNDL): Adversaries are collecting encrypted data today to decrypt once quantum computers become available
- CNSA 2.0 Deadlines: NSA's timeline requires hybrid PQC for new systems by 2027 and full transition by 2035
- Long Migration Cycles: Cryptographic migrations typically take 5-10 years to complete
- Regulatory Pressure: Government agencies and regulated industries must demonstrate quantum readiness
Requires Go 1.23+ (install Go)
Copy and paste this entire block:
git clone https://github.com/csnp/qramm-tls-analyzer.git
cd qramm-tls-analyzer
go build -o tlsanalyzer ./cmd/tlsanalyzer
sudo mv tlsanalyzer /usr/local/bin/
cd ..
tlsanalyzer --versionDownload pre-built binaries from Releases.
# Scan a domain you own or have permission to test
tlsanalyzer yourdomain.comExpected output: Security grade, quantum risk score, CNSA 2.0 timeline.
| Feature | Description |
|---|---|
| Protocol Analysis | TLS 1.0, 1.1, 1.2, 1.3 version detection with deprecation warnings |
| Cipher Suite Evaluation | Strength assessment, forward secrecy verification, weak algorithm detection |
| Certificate Analysis | Validity, chain verification, key strength, signature algorithm assessment |
| Vulnerability Detection | BEAST, POODLE, weak ciphers, expired certificates, and more |
| Feature | Description |
|---|---|
| Quantum Risk Scoring | 0-100 score indicating quantum vulnerability |
| PQC Detection | ML-KEM, ML-DSA, SLH-DSA, and hybrid key exchange detection |
| HNDL Risk Assessment | Evaluate exposure to harvest-now-decrypt-later attacks |
| CNSA 2.0 Timeline | Track compliance against NSA's post-quantum migration deadlines |
| Feature | Description |
|---|---|
| Policy-as-Code | Built-in and custom YAML policies for automated compliance checking |
| CNSA 2.0 Timeline Tracking | Milestones for 2025, 2027, 2030, 2033, 2035 |
| Multiple Output Formats | Text, JSON, SARIF, CycloneDX CBOM, HTML |
| Batch Scanning | Scan multiple targets with concurrency control |
./tlsanalyzer yourdomain.com # Human-readable text (default)
./tlsanalyzer yourdomain.com --format json # JSON output
./tlsanalyzer yourdomain.com --format html -o report.html # Standalone HTML report
./tlsanalyzer yourdomain.com --format cbom -o cbom.json # CycloneDX CBOM
./tlsanalyzer yourdomain.com --format sarif -o scan.sarif # SARIF for GitHub Security./tlsanalyzer policies # List available policies
./tlsanalyzer yourdomain.com --policy cnsa-2.0-2027 # CNSA 2.0 compliance check
./tlsanalyzer yourdomain.com --policy-file custom.yaml # Custom policy file# Create targets file
echo "api.yourdomain.com
web.yourdomain.com
auth.yourdomain.com" > targets.txt
# Scan all targets
./tlsanalyzer --targets targets.txt --format html -o report.html./tlsanalyzer yourdomain.com:8443 # Custom port
./tlsanalyzer 192.168.1.1 --sni yourdomain.com # Custom SNI
./tlsanalyzer yourdomain.com --timeout 60 # Custom timeout
./tlsanalyzer yourdomain.com --skip-vulns # Skip vulnerability checks
./tlsanalyzer yourdomain.com --skip-quantum # Skip quantum assessmentSample terminal output:
═══════════════════════════════════════════════════════════════
QRAMM TLS Analyzer - Quantum-Ready Security Assessment
═══════════════════════════════════════════════════════════════
Target: example.com
IP: 93.184.216.34
Scanned: 2025-01-15 10:30:00 UTC
───────────────────────────────────────────────────────────────
OVERALL GRADE
───────────────────────────────────────────────────────────────
TLS Security: B (78/100)
Quantum Ready: QV
Score Breakdown:
Protocol Support [████████████████░░░░] 20/25
Cipher Strength [████████████████████] 25/25
Certificate [████████████████████] 25/25
Quantum Readiness [░░░░░░░░░░░░░░░░░░░░] 0/25
───────────────────────────────────────────────────────────────
POLICY EVALUATION
───────────────────────────────────────────────────────────────
Policy: cnsa-2.0-2027
Status: ✗ NON-COMPLIANT
Score: 10/100
Violations (4)
• [CRITICAL] Required key exchange algorithm not found
Expected: X25519MLKEM768 or SecP384r1MLKEM1024
───────────────────────────────────────────────────────────────
CNSA 2.0 COMPLIANCE TIMELINE
───────────────────────────────────────────────────────────────
Current Phase: Preparation Phase
Timeline Score: 54/100
Days to Deadline: 371
Next Action: Enable hybrid PQC key exchange
Milestones:
○ Preparation Phase (2025-12-31)
✗ New NSS Systems (2027-01-01)
└─ ML-KEM key exchange not detected
◐ TLS 1.3 Required (2030-01-02)
— Legacy System Update (2033-01-01)
— Full PQC Transition (2035-01-01)
Other formats: --format json for automation, --format cbom for CycloneDX CBOM, --format html for shareable reports, --format sarif for GitHub Security.
| Policy | Description |
|---|---|
modern |
Modern TLS configuration for 2024+ |
strict |
Strict TLS 1.3-only configuration |
cnsa-2.0-2027 |
CNSA 2.0 for new NSS systems (2027 deadline) |
cnsa-2.0-2030 |
CNSA 2.0 with TLS 1.3 required |
cnsa-2.0-2035 |
CNSA 2.0 full PQC transition |
Custom policies can be created in YAML format. See docs/policies.md for details.
The tool tracks compliance against NSA's Commercial National Security Algorithm Suite 2.0 timeline:
| Milestone | Deadline | Requirements |
|---|---|---|
| Preparation Phase | Dec 2025 | Begin PQC integration planning, inventory cryptographic assets |
| New NSS Systems | Jan 2027 | ML-KEM for key exchange, ML-DSA/SLH-DSA for signatures, AES-256, SHA-384+ |
| TLS 1.3 Required | Jan 2030 | TLS 1.3 mandatory, hybrid PQC required, RSA/ECDH no longer acceptable |
| Legacy System Update | Jan 2033 | Complete migration of all existing systems, PQC certificates deployed |
| Full PQC Transition | Jan 2035 | Pure PQC (no hybrid required), classical algorithms fully retired |
| Status | Description | Examples |
|---|---|---|
| Approved | CNSA 2.0 approved | ML-KEM-768, ML-KEM-1024, ML-DSA-65, ML-DSA-87, SLH-DSA, AES-256, SHA-384, SHA-512 |
| Transitional | Allowed until deadline | RSA-3072, RSA-4096, ECDSA-P384, ECDH-P384, X25519 (hybrid only), SHA-256 |
| Deprecated | Phase out immediately | RSA-2048, ECDSA-P256, ECDH-P256 |
| Prohibited | Never use | 3DES, RC4, SHA-1, MD5 |
| Grade | Score | Description |
|---|---|---|
| A+ | 95-100 | Exceptional security with quantum readiness |
| A | 85-94 | Excellent configuration |
| B | 70-84 | Good with minor improvements needed |
| C | 55-69 | Adequate but significant improvements recommended |
| D | 40-54 | Poor configuration, security issues present |
| F | 0-39 | Failing, critical vulnerabilities |
| Grade | Description |
|---|---|
| Q+ | Full PQC ready (ML-KEM key exchange + ML-DSA certificates) |
| Q | Hybrid PQC key exchange enabled |
| Q- | Partially quantum-ready |
| QV | Quantum vulnerable (classical cryptography only) |
USAGE:
tlsanalyzer [target] [flags]
tlsanalyzer [command]
COMMANDS:
policies List available security policies
version Print version information
FLAGS:
-f, --format string Output format: text, json, sarif, cbom, html (default "text")
-o, --output string Output file (default: stdout)
-t, --timeout int Connection timeout in seconds (default 30)
-p, --port int Target port (default 443)
--sni string Server Name Indication (SNI)
--no-color Disable colored output
--compact Compact JSON output
--skip-vulns Skip vulnerability checks
--skip-quantum Skip quantum risk assessment
--skip-cnsa2 Skip CNSA 2.0 compliance analysis
--policy string Apply a security policy
--policy-file string Path to custom policy YAML file
--targets string File containing list of targets
-c, --concurrency int Concurrent scans for batch mode (default 10)
-h, --help Help for tlsanalyzer
See docs/ci-cd-integration.md for GitHub Actions, GitLab CI, Jenkins, and Azure DevOps examples.
qramm-tls-analyzer/
├── cmd/
│ └── tlsanalyzer/
│ └── main.go # CLI entry point, flag parsing, batch scanning
├── internal/
│ ├── analyzer/
│ │ ├── cnsa2.go # CNSA 2.0 compliance analysis
│ │ └── policy.go # Policy-as-code evaluation
│ ├── reporter/
│ │ ├── cbom.go # CycloneDX CBOM output
│ │ ├── html.go # HTML report generation
│ │ ├── json.go # JSON output
│ │ ├── sarif.go # SARIF output
│ │ └── text.go # Terminal output with colors
│ └── scanner/
│ ├── scanner.go # Core TLS scanning logic
│ ├── quantum.go # PQC risk assessment
│ ├── vulnerabilities.go # Vulnerability detection
│ ├── grade.go # Grading system
│ └── recommendations.go # Actionable recommendations
└── pkg/
└── types/
├── result.go # Scan result types
├── policy.go # Policy definitions
├── cbom.go # CycloneDX CBOM types
└── compliance.go # Compliance framework types
QRAMM (Quantum Readiness Assurance Maturity Model) is an evidence-based framework designed to help enterprises systematically prepare for the quantum computing threat to current cryptographic systems. QRAMM provides structured evaluation across quantum readiness dimensions.
Visit qramm.org to learn more about:
- Quantum readiness assessment
- Migration planning resources
- Implementation guidance
- Industry benchmarks
This analyzer is part of the QRAMM open-source toolkit:
| Tool | Description |
|---|---|
| TLS Analyzer | TLS/SSL configuration analysis with quantum readiness (this tool) |
| CryptoScan | Cryptographic discovery scanner for codebases |
See CONTRIBUTING.md for development setup and guidelines.
- NSA CNSA 2.0 Guidance - Commercial National Security Algorithm Suite 2.0
- NIST Post-Quantum Cryptography - PQC Standardization
- FIPS 203: ML-KEM - Module-Lattice Key Encapsulation
- FIPS 204: ML-DSA - Module-Lattice Digital Signatures
- FIPS 205: SLH-DSA - Stateless Hash-Based Digital Signatures
- RFC 8446: TLS 1.3 - Transport Layer Security 1.3
- RFC 8996: Deprecating TLS 1.0 and 1.1
- CycloneDX CBOM - Cryptographic Bill of Materials
This project is licensed under the MIT License - see the LICENSE file for details.
- NSA's CNSA 2.0 guidance for post-quantum cryptography standards
- NIST for PQC algorithm standardization (ML-KEM, ML-DSA, SLH-DSA)
- The Go team for excellent TLS library support
- CycloneDX for the CBOM specification
- Our amazing contributors and the open-source community
Built with purpose by CSNP
QRAMM • CSNP • Report Bug • Request Feature