In Security

A new version of SSLyze is available. I made lots of changes and refactoring to SSLyze (and its OpenSSL wrapper)’s internals, which were required in order to be able to:

• Add SSLyze to PyPi, at long last. This means that you can now install SSLyze by just running pip install sslyze on OS X, Linux and Windows. No more ZIP files to download!
• Turn SSLyze into a Python library: you can now run the same scan commands as the command line tool and process the results directly from Python!

Usage a Python library

Using SSLyze as a library is a three step process:

1. Configure the list of servers to scan and ensure that you can connect to them. This is implemented via the ServerConnectivityInfo class.
2. Start SSLyze’s process pool (using the PluginsProcessPool class) and queue some scan commands for each server. The commands are the same as the ones available in the CLI; you can get a list by running the CLI with --help. Each scan command will be run concurrently within the process pool.
3. Retrieve the result of each scan command and process it. Each result is a subclass of PluginResult with attributes that contain the actual result of the scan command run on the server (such as list of supported cipher suites for the --tlsv1 command). These attributes are specific to each plugin and command but are all documented (within each plugin’s module).

The following is a simple example to retrieve the list of SSL 3.0 cipher suites supported by smtp.gmail.com:587:

# Script to get the list of SSLv3 cipher suites supported by smtp.gmail.com
hostname = 'smtp.gmail.com'
try:
    # First we must ensure that the server is reachable
    server_info = ServerConnectivityInfo(hostname=hostname, port=587,
                                         tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
    server_info.test_connectivity_to_server()
except ServerConnectivityError as e:
    raise RuntimeError('Error when connecting to {}: {}'.format(hostname, e.error_msg))

# Get the list of available plugins
sslyze_plugins = PluginsFinder()

# Create a process pool to run scanning commands concurrently
plugins_process_pool = PluginsProcessPool(sslyze_plugins)

# Queue a scan command to get the server's certificate
plugins_process_pool.queue_plugin_task(server_info, 'sslv3')

# Process the result and print the certificate CN
for server_info, plugin_command, plugin_result in plugins_process_pool.get_results():
    if plugin_result.plugin_command == 'sslv3':
        # Do something with the result
        print 'SSLV3 cipher suites'
        for cipher in plugin_result.accepted_cipher_list:
            print '    {}'.format(cipher.name)

More complex example are available in the project’s repository.

New plugins

Thanks to contributors davidgfnet and bcyrill, SSLyze has two new scan commands:

• --openssl_ccs for testing the server for the OpenSSL CCS Injection vulnerability.
• --fallback for checking the server’s support for the TLS_FALLBACK_SCSV cipher suite, which prevents TLS downgrade attacks.

Full Changelog

Head to the project’s Releases tab for the full changelog.

As explained before, I will no longer upload ZIP files with the releases (except for the Windows py2exe build); PyPi or directly cloning the repo are now the right ways to install SSLyze.