Bug Circuit TLS Check
Check any host's TLS certificate, expiry, and protocol version in one passive handshake — free, single-file, zero dependencies.
Bug Circuit TLS Check is a free, single-file command-line tool that inspects the TLS/SSL certificate and protocol posture of any host you own or are authorized to test. Point it at host (or host:port) and it performs one passive handshake, then reports the subject and issuer, the full validity window and — most usefully — the exact days until expiry, the Subject Alternative Names, the public-key type and size (RSA 2048-bit, EC P-256, Ed25519…), the signature algorithm, and the negotiated TLS protocol and cipher. It flags hostname mismatches, self-signed and untrusted chains, expired or not-yet-valid certificates, and servers stuck on legacy TLS below 1.2.
It's built to fit real operations, not just a one-off look. --warn-days turns "expiring soon" into a non-zero exit code so a nightly cron job stays quiet until a certificate actually needs renewing. --json emits clean, structured output for dashboards and pipelines. --hosts file.txt (with comments, blank lines, and stdin support) audits a whole fleet concurrently, preserving input order, and rolls the results into clear aggregate exit codes: 0 healthy, 1 warning, 2 connection error, 3 usage error. Output is colour-coded on a real terminal and degrades gracefully to plain text when piped or when NO_COLOR is set — and it's careful about console encodings on Windows.
Because it relies only on the Python 3.8+ standard library, there is nothing to install and nothing to trust beyond Python itself: no pip packages, no OpenSSL binary, no telemetry. Under the hood it even parses raw certificate DER on its own so it can still describe untrusted or expired certs that the normal API would hide. The tool is strictly passive and defensive — it completes an ordinary handshake, reads public certificate data, and disconnects. It never attacks, exploits, brute-forces, or evades. Run it only on systems you own or are authorized to test. MIT-licensed, cross-platform, and brought to you free by Bug Circuit.
How to use
- Install Python 3.8 or newer (nothing else to install — the tool uses only the standard library).
- Download bugcircuit-tlscheck.py and open a terminal in the same folder.
- Run a single check: python3 bugcircuit-tlscheck.py yourdomain.com
- Add --warn-days 30 to be warned (exit code 1) when a certificate expires within 30 days.
- Audit many hosts at once with --hosts hosts.txt, and add --json to pipe structured results into monitoring.
- Only scan hosts you own or are authorized to test — the tool is passive but responsible use is on you.
Example commands
python3 bugcircuit-tlscheck.py bugcircuit.com
python3 bugcircuit-tlscheck.py example.com:8443 --warn-days 30
python3 bugcircuit-tlscheck.py --hosts hosts.txt --json > tls-report.json
python3 bugcircuit-tlscheck.py mail.example.com:465 --sni smtp.example.com
python3 bugcircuit-tlscheck.py 10.0.0.10:8443 --no-color -t 5Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Downloads are free. You’ll sign in to a free store account (any email — takes 10 seconds) so you can re-download any time from your account.
Something not right with your order? Email [email protected] — the same team that runs our security audits makes it right.