diff --git a/src/main-conf.c b/src/main-conf.c
index f212aafa8f777eec6c33b35a1314bb9b0e76de2a..d533928773663cd0efea3e07b5d3c25c1b56dc24 100644
--- a/src/main-conf.c
+++ b/src/main-conf.c
@@ -451,6 +451,10 @@ masscan_echo(struct Masscan *masscan, FILE *fp)
     fprintf(fp, "%scapture = html\n", masscan->is_capture_html?"":"no");
     fprintf(fp, "%scapture = heartbleed\n", masscan->is_capture_heartbleed?"":"no");
     fprintf(fp, "%scapture = ticketbleed\n", masscan->is_capture_ticketbleed?"":"no");
+    
+    if (masscan->is_hello_ssl) {
+        fprintf(fp, "hello = ssl\n");
+    }
 
     /*
      *  TCP payloads
@@ -1108,6 +1112,13 @@ masscan_set_parameter(struct Masscan *masscan,
             free(masscan->bpf_filter);
         masscan->bpf_filter = (char*)malloc(len);
         memcpy(masscan->bpf_filter, value, len);
+    } else if (EQUALS("hello", name)) {
+        if (EQUALS("ssl", value))
+            masscan->is_hello_ssl = 1;
+        else {
+            fprintf(stderr, "FAIL: %s: unknown hello type\n", value);
+            exit(1);
+        }
     } else if (EQUALS("capture", name)) {
         if (EQUALS("cert", value))
             masscan->is_capture_cert = 1;
diff --git a/src/main.c b/src/main.c
index 774031fd8c20154e64447a718b4a324505732114..198e9dd44e3409ace05acbcf99991acae89c3b3b 100644
--- a/src/main.c
+++ b/src/main.c
@@ -621,6 +621,11 @@ receive_thread(void *v)
                                     "http-user-agent",
                                     masscan->http_user_agent_length,
                                     masscan->http_user_agent);
+        if (masscan->is_hello_ssl)
+            tcpcon_set_parameter(   tcpcon,
+                                 "hello",
+                                 1,
+                                 "ssl");
         if (masscan->is_heartbleed)
             tcpcon_set_parameter(   tcpcon,
                                  "heartbleed",
diff --git a/src/masscan.h b/src/masscan.h
index 038a75f0852fc1d7a59b81a0848f72d61ec7760b..41dccf5723c5453b8f04740764e76df598dcb569 100644
--- a/src/masscan.h
+++ b/src/masscan.h
@@ -177,8 +177,9 @@ struct Masscan
     unsigned is_infinite:1;     /* -infinite */
     unsigned is_readscan:1;     /* --readscan, Operation_Readscan */
     unsigned is_heartbleed:1;   /* --heartbleed, scan for this vuln */
-    unsigned is_ticketbleed:1;   /* --ticketbleed, scan for this vuln */
+    unsigned is_ticketbleed:1;  /* --ticketbleed, scan for this vuln */
     unsigned is_poodle_sslv3:1; /* --script poodle, scan for this vuln */
+    unsigned is_hello_ssl:1;    /* --ssl, use SSL HELLO on all ports */
         
     /**
      * Wait forever for responses, instead of the default 10 seconds
diff --git a/src/proto-tcp.c b/src/proto-tcp.c
index c2e6cf7d8191071c19d49c276e7d4e25189babaa..1a81a3cc58c2b011fe6d9564c1f50ee486b6537d 100644
--- a/src/proto-tcp.c
+++ b/src/proto-tcp.c
@@ -228,6 +228,20 @@ tcpcon_set_parameter(struct TCP_ConnectionTable *tcpcon,
         return;
     }
 
+    /*
+     * Force SSL processing on all ports
+     */
+    if (name_equals(name, "hello") && name_equals(value, "ssl")) {
+        unsigned i;
+        
+        LOG(2, "HELLO: setting SSL hello message\n");
+        for (i=0; i<65535; i++) {
+            banner1->tcp_payloads[i] = &banner_ssl;
+        }
+        
+        return;
+    }
+    
     /*
      * 2014-04-08: scan for Neel Mehta's "heartbleed" bug
      */