Fast and powerful SSL/TLS server scanning library for Python 3.6+.
SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL/TLS servers.
Key features include:
- Fully documented Python API, in order to run scans and process the results directly from Python.
- New: Support for TLS 1.3 and early data (0-RTT) testing.
- Scans are automatically dispatched among multiple processes, making them very fast.
- Performance testing: session resumption and TLS tickets support.
- Security testing: weak cipher suites, insecure renegotiation, ROBOT, Heartbleed and more.
- Server certificate validation and revocation checking through OCSP stapling.
- Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
- Scan results can be written to an XML or JSON file for further processing.
- And much more!
SSLyze can be installed directly via pip:
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular www.yahoo.com:443 www.google.com "[2607:f8b0:400a:807::2004]:443"
SSLyze has been tested on the following platforms: Debian 7 (32 and 64 bits), macOS High Sierra, and Windows 10 (Python 64 bits only).
SSLyze exposes a Python API in order to run scans and process the results directly in Python; full documentation is available here.
If you want to setup a local environment where you can work on SSLyze, you will first need to install pipenv. You can then initialize the environment using:
$ cd sslyze
$ pipenv install --dev
$ pipenv shell
You can then run the test suite:
$ invoke test
A Windows executable that does not require installing Python is available in the Releases page tab.
By default the image runs the -h
flag:
docker run --rm -it nablac0d3/sslyze
Usage: sslyze [options] target1.com target2.com:443 target3.com:443{ip} etc...
Options:
--version show program's version number and exit
-h, --help show this help message and exit
This image was intended to be ran as an executable like so:
docker run --rm -it nablac0d3/sslyze --regular www.github.com:443
Add the following line to your shell's rc file (e.g. ~/.bashrc):
alias 'sslyze'='docker run --rm -it nablac0d3/sslyze'
Now reload your shell defaults by running:
source ~/.bashrc
You can now execute the image like so:
$ sslyze
Usage: sslyze [options] target1.com target2.com:443 target3.com:443{ip} etc...
Options:
--version show program's version number and exit
-h, --help show this help message and exit
SSLyze is all Python code but it uses an OpenSSL wrapper written in C called nassl, which was specifically developed for allowing SSLyze to access the low-level OpenSSL APIs needed to perform deep SSL testing.
The trust stores (Mozilla, Microsoft, etc.) used by SSLyze for certificate validation are downloaded from the Trust Stores Observatory.
The trust stores can be updated to the latest version, using either the CLI:
$ python -m sslyze --update_trust_stores
or the Python API:
from sslyze.plugins.utils.trust_store.trust_store_repository import TrustStoresRepository
TrustStoresRepository.update_default()
Copyright (c) 2018 Alban Diquet
SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.