SSLyze

Release 3.1.0

https://pepy.tech/badge/sslyze https://img.shields.io/pypi/l/sslyze.svg https://img.shields.io/pypi/pyversions/sslyze.svg

SSLyze is a fast and powerful SSL/TLS scanning library.

It allows you to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.).

SSLyze can either be used as command line tool or as a Python library.

Key features

  • Fully documented Python API in order to run scans and process the results directly from Python.

  • Support for TLS 1.3 and early data (0-RTT) testing.

  • Scans are automatically dispatched among multiple workers, making them very fast.

  • Performance testing: session resumption and TLS tickets support.

  • Security testing: weak cipher suites, insecure renegotiation, ROBOT, Heartbleed and more.

  • Server certificate validation and revocation checking through OCSP stapling.

  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.

  • Scan results can be written to a JSON file for further processing.

  • And much more!

Installation

To install SSLyze, simply run this simple command in your terminal of choice:

$ pip install --upgrade setuptools
$ pip install sslyze

For other options and more details, see:

Running scans with the CLI

The command line interface can be used to easily run server scans, and for example export results to JSON:

$ python -m sslyze --regular www.google.com --json_out=results.json

A full description of the supported options is available via the help command:

$ python -m sslyze -h

Runing scans with the Python API

The Python API gives full access to SSLyze’s scanning engine in order to make it easy to implement SSL/TLS scanning as part of a continuous security testing platform, and detect any misconfiguration across a range of public and/or internal endpoints.

Basic example

A simple example on how to run a scan follows:

def basic_example() -> None:
    # Define the server that you want to scan
    server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("www.google.com", 443)

    # Do connectivity testing to ensure SSLyze is able to connect
    try:
        server_info = ServerConnectivityTester().perform(server_location)
    except ConnectionToServerFailed as e:
        # Could not connect to the server; abort
        print(f"Error connecting to {server_location}: {e.error_message}")
        return

    # Then queue some scan commands for the server
    scanner = Scanner()
    server_scan_req = ServerScanRequest(
        server_info=server_info, scan_commands={ScanCommand.CERTIFICATE_INFO, ScanCommand.SSL_2_0_CIPHER_SUITES},
    )
    scanner.queue_scan(server_scan_req)

    # Then retrieve the results
    for server_scan_result in scanner.get_results():
        print(f"\nResults for {server_scan_result.server_info.server_location.hostname}:")

        # SSL 2.0 results
        ssl2_result = server_scan_result.scan_commands_results[ScanCommand.SSL_2_0_CIPHER_SUITES]
        print("\nAccepted cipher suites for SSL 2.0:")
        for accepted_cipher_suite in ssl2_result.accepted_cipher_suites:
            print(f"* {accepted_cipher_suite.cipher_suite.name}")

        # Certificate info results
        certinfo_result = server_scan_result.scan_commands_results[ScanCommand.CERTIFICATE_INFO]
        print("\nCertificate info:")
        for cert_deployment in certinfo_result.certificate_deployments:
            print(f"Leaf certificate: \n{cert_deployment.received_certificate_chain_as_pem[0]}")

The list of all the scan comands SSLyze can run against a server is available in the following section: