diff --git a/nselib/comm.lua b/nselib/comm.lua
index a3178ebb9..7f264be34 100644
--- a/nselib/comm.lua
+++ b/nselib/comm.lua
@@ -23,7 +23,7 @@
 -- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
 
 local nmap = require "nmap"
-local shortport = require "shortport"
+local shortport
 local stdnse = require "stdnse"
 _ENV = stdnse.module("comm", stdnse.seeall)
 
@@ -165,6 +165,7 @@ end
 -- @param port The port table to check
 -- @return bool True if port is usually ssl, otherwise false
 local function is_ssl(port)
+  shortport = shortport or require "shortport"
   return shortport.ssl(nil, port)
 end
 
diff --git a/nselib/shortport.lua b/nselib/shortport.lua
index e9bbf3589..c174f14cd 100644
--- a/nselib/shortport.lua
+++ b/nselib/shortport.lua
@@ -8,6 +8,7 @@
 
 local nmap = require "nmap"
 local stdnse = require "stdnse"
+local comm
 _ENV = stdnse.module("shortport", stdnse.seeall)
 
 ---
@@ -229,8 +230,47 @@ local LIKELY_SSL_SERVICES = {
 -- @usage
 -- portrule = shortport.ssl
 function ssl(host, port)
-  return (port.version and port.version.service_tunnel == "ssl") or
-    port_or_service(LIKELY_SSL_PORTS, LIKELY_SSL_SERVICES, {"tcp", "sctp"})(host, port)
+  if (port.version and port.version.service_tunnel == "ssl") or
+    port_or_service(LIKELY_SSL_PORTS, LIKELY_SSL_SERVICES, {"tcp", "sctp"})(host, port) then
+    return true
+  end
+  -- if we didn't detect something *not* SSL, check it ourselves
+  if port.version.name_confidence <= 3 and host.registry then
+    comm = comm or require "comm"
+    host.registry.ssl = host.registry.ssl or {}
+    local mtx = nmap.mutex(host.registry.ssl)
+    mtx "lock"
+    local v = host.registry.ssl[port.number .. port.protocol]
+    if v == nil then
+      -- probes from nmap-service-probes
+      for _, probe in ipairs({
+          --TLSSessionReq
+          "\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3\z
+          random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\z
+          \x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z
+          \x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z
+          \x05\x03\x05\x02",
+          -- SSLSessionReq
+          "\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
+          \x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
+          \0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
+          \x08\0\x06\0\x03\x01\0",
+        }) do
+        local status, resp = comm.exchange(host, port, probe)
+        if status and resp and (
+            resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
+            resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
+            ) then
+          v = true
+          break
+        end
+      end
+      host.registry.ssl[port.number .. port.protocol] = v or false
+    end
+    mtx "done"
+    return v
+  end
+  return false
 end
 
 return _ENV;
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 097a432a6..b84854239 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -1065,39 +1065,7 @@ local function try_protocol(host, port, protocol, upresults)
 end
 
 portrule = function (host, port)
-  if shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port) then
-    return true
-  end
-  -- selected by name and we didn't detect something *not* SSL
-  if (port.version.name_confidence <= 3 and nmap.version_intensity() == 9) then
-    -- check whether it's an SSL service
-    local is_ssl = false
-    -- probes from nmap-service-probes
-    for _, probe in ipairs({
-        --TLSSessionReq
-        "\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3\z
-        random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\z
-        \x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\z
-        \x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\z
-        \x05\x03\x05\x02",
-        -- SSLSessionReq
-        "\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\z
-        \x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\z
-        \0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\z
-        \x08\0\x06\0\x03\x01\0",
-      }) do
-      local status, resp = comm.exchange(host, port, probe)
-      if status and resp and (
-          resp:match("^\x16\x03[\0-\x03]..\x02...\x03[\0-\x03]") or
-          resp:match("^\x15\x03[\0-\x03]\0\x02\x02[F\x28]")
-          ) then
-        is_ssl = true
-        break
-      end
-    end
-    return is_ssl
-  end
-  return false
+  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
 end
 
 --- Return a table that yields elements sorted by key when iterated over with pairs()