sslyze  2.1.3
About: SSLyze is a fast and full-featured SSL scanner that can analyze the SSL configuration of a server by connecting to it and help admins to identify optional misconfigurations.
  Fossies Dox: sslyze-2.1.3.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

sslyze Documentation

Some Fossies usage hints in advance:

  1. To see the Doxygen generated documentation please click on one of the items in the steelblue colored "quick index" bar above or use the side panel at the left which displays a hierarchical tree-like index structure and is adjustable in width.
  2. If you want to search for something by keyword rather than browse for it you can use the client side search facility (using Javascript and DHTML) that provides live searching, i.e. the search results are presented and adapted as you type in the Search input field at the top right.
  3. Doxygen doesn't incorporate all member files but just a definable subset (basically the main project source code files that are written in a supported language). So to search and browse all member files you may visit the Fossies
  4. sslyze-2.1.3.tar.gz contents page and use the Fossies standard member browsing features (also with source code highlighting and additionally with optional code folding).
README.md

SSLyze

Build Status PyPI version Join the chat at https://gitter.im/sslyze/community

Fast and powerful SSL/TLS server scanning library for Python 3.6+.

Description

SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL/TLS servers.

Key features include:

  • Fully documented Python API, in order to run scans and process the results directly from Python.
  • New: Support for TLS 1.3 and early data (0-RTT) testing.
  • Scans are automatically dispatched among multiple processes, making them very fast.
  • Performance testing: session resumption and TLS tickets support.
  • Security testing: weak cipher suites, insecure renegotiation, ROBOT, Heartbleed and more.
  • Server certificate validation and revocation checking through OCSP stapling.
  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
  • Scan results can be written to an XML or JSON file for further processing.
  • And much more!

Usage as a CLI

SSLyze can be installed directly via pip:

$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular www.yahoo.com:443 www.google.com "[2607:f8b0:400a:807::2004]:443"

SSLyze has been tested on the following platforms: Debian 7 (32 and 64 bits), macOS High Sierra, and Windows 10 (Python 64 bits only).

Usage as a library

SSLyze exposes a Python API in order to run scans and process the results directly in Python; full documentation is available here.

Dev environment

If you want to setup a local environment where you can work on SSLyze, you will first need to install pipenv. You can then initialize the environment using:

$ cd sslyze
$ pipenv install --dev
$ pipenv shell

You can then run the test suite:

$ invoke test

Windows executable

A Windows executable that does not require installing Python is available in the Releases page tab.

Docker

By default the image runs the -h flag:

docker run --rm -it nablac0d3/sslyze

Usage: sslyze [options] target1.com target2.com:443 target3.com:443{ip} etc...
 Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

This image was intended to be ran as an executable like so:

docker run --rm -it nablac0d3/sslyze --regular www.github.com:443

Create utility from the image

Add the following line to your shell's rc file (e.g. ~/.bashrc):

alias 'sslyze'='docker run --rm -it nablac0d3/sslyze'

Now reload your shell defaults by running:

source ~/.bashrc

You can now execute the image like so:

$ sslyze
Usage: sslyze [options] target1.com target2.com:443 target3.com:443{ip} etc...
Options:
 --version             show program's version number and exit
 -h, --help            show this help message and exit

How does it work ?

SSLyze is all Python code but it uses an OpenSSL wrapper written in C called nassl, which was specifically developed for allowing SSLyze to access the low-level OpenSSL APIs needed to perform deep SSL testing.

Where do the trust stores come from?

The trust stores (Mozilla, Microsoft, etc.) used by SSLyze for certificate validation are downloaded from the Trust Stores Observatory.

The trust stores can be updated to the latest version, using either the CLI:

$ python -m sslyze --update_trust_stores

or the Python API:

from sslyze.plugins.utils.trust_store.trust_store_repository import TrustStoresRepository

TrustStoresRepository.update_default()

License

Copyright (c) 2018 Alban Diquet

SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.