SSLyze 5.0.0 Released

I just released a new major version of SSLyze, a Python library for scanning the SSL/TLS configuration of a server: SSLyze 5.0.0.

This major release focuses on improving the reliability of the scans, simplifying the Python API and JSON output, and adding support for checking a server’s TLS configuration against Mozilla’s recommended configuration. The full changelog is available here.

In this new version, SSLyze will check the server’s scan results against Mozilla’s recommended “intermediate” TLS configuration, and will return a non-zero exit code if the server is not compliant.

$ python -m sslyze mozilla.com

Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: OK - Compliant.

The Mozilla configuration to check against can be configured via --mozilla-config={old, intermediate, modern}:

$ python -m sslyze --mozilla-config=modern mozilla.com

Checking results against Mozilla's "modern" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: FAILED - Not compliant.
    * certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
    * certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
    * tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
    * ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.

This can be used to easily run an SSLyze scan as a CI/CD step.

Maximum automation with GitHub Actions

After Travis CI announced that they were going to restrict usage for open-source projects, I decided to switch to GitHub Actions for SSLyze’s CI/CD.

I have been very happy with the change; one of GitHub Actions’ best feature is its seamless support for the three main OSes: Linux, macOS and Windows. Previously, supporting each of them would require using a different CI/CD product (such as AppVeyor for Windows). As SSLyze has a C component and needs to work on all three OSes, this has been a huge improvement.

Using GitHub Actions, I added a bunch of CI/CD workflows to reduce how much work an SSLyze release is. These workflows might be useful to other Python projects, especially the ones with a C extension:

Further improving the reliability of scans

One important goal with SSLyze is to ensure that it is able to scan any web server without any issues. Most TLS scanning tools (including previous versions of SSLyze) will randomly crash when pointed at specific server stacks.

Improving the reliability of scans has been an ongoing effort and with the latest release, more automated testing in CI/CD has been implemented:

  • Using GitHub Actions to spawn a server and run a full SSLyze scan against it, for the following web servers: Apache2, Microsoft IIS and nginx.
  • Within the unit tests, running an SSLyze scan against Cloudflare and Google servers.

Based on usage statistics of web servers, the combination of Apache2, Microsoft IIS, nginx, Cloudflare and Google represents ~93% of all web servers on the Internet.

Running SSLye scans from CI/CD on all these servers helps ensuring that it can reliably scan most of the Internet without any issues.

More details and changelog

For more details, head to the project’s page.

November 27, 2021
ssl