TLS Implementation Fingerprinter

login

This tool runs many probes per target and can take several minutes to complete. It requires an authenticated account to prevent abuse.

This tool isn't available in the anonymous view. Sign in to access it.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is TLS implementation fingerprinting?

TLS fingerprinting identifies the TLS library or stack a server uses by analysing its ServerHello response — the cipher preference order, extension order, and supported curves. Different libraries (OpenSSL, BoringSSL, NSS, SChannel) produce distinct patterns that serve as a reliable fingerprint, even when the server suppresses its version banner.

What is a JA3 fingerprint?

JA3 is a method of fingerprinting TLS clients (and JA3S for servers) by hashing fields from the ClientHello or ServerHello: TLS version, cipher suites, extensions, elliptic curves, and elliptic curve point formats. The resulting MD5 hash identifies the TLS implementation. JA3 fingerprints are used in security monitoring to detect malware, bots, or unusual clients regardless of IP address or certificate.

Why does this tool require authentication?

This tool sends probe traffic — multiple TLS handshakes with varying parameters — to the target. From the target's perspective this looks like scanning activity. Authentication and target-ownership verification ensure users only scan infrastructure they control.