Convert Figma logo to code with AI

nabla-c0d3 logosslyze

Fast and powerful SSL/TLS scanning library.

3,249
450
3,249
35

Top Related Projects

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

10,663

Scapy: the Python-based interactive packet manipulation program & library.

Testing TLS/SSL encryption anywhere on any port

Quick Overview

SSLyze is a fast and powerful SSL/TLS scanning library and CLI tool. It allows you to analyze the SSL/TLS configuration of a server by connecting to it and detecting various vulnerabilities and misconfigurations. SSLyze is written in Python and can be used both as a command-line tool and as a Python library.

Pros

  • Fast and efficient, capable of scanning multiple servers simultaneously
  • Comprehensive SSL/TLS checks, including protocol support, cipher suites, and certificate validation
  • Actively maintained and regularly updated with new features and security checks
  • Supports both IPv4 and IPv6 servers

Cons

  • Requires some technical knowledge to interpret results effectively
  • May trigger security alerts on target servers due to its scanning nature
  • Limited GUI options, primarily command-line based
  • Can be resource-intensive when scanning multiple servers or performing extensive tests

Code Examples

  1. Basic SSL scan:
from sslyze import ServerNetworkLocation, ServerNetworkConfiguration, Scanner, ServerScanRequest, ScanCommand

server_location = ServerNetworkLocation("www.example.com", 443)
server_scan_req = ServerScanRequest(server_location=server_location, scan_commands={ScanCommand.CERTIFICATE_INFO, ScanCommand.SSL_2_0_CIPHER_SUITES})

scanner = Scanner()
scanner.queue_scan(server_scan_req)
for server_scan_result in scanner.get_results():
    print(server_scan_result)
  1. Checking for Heartbleed vulnerability:
from sslyze import ServerNetworkLocation, ServerNetworkConfiguration, Scanner, ServerScanRequest, ScanCommand

server_location = ServerNetworkLocation("www.example.com", 443)
server_scan_req = ServerScanRequest(server_location=server_location, scan_commands={ScanCommand.HEARTBLEED})

scanner = Scanner()
scanner.queue_scan(server_scan_req)
for server_scan_result in scanner.get_results():
    heartbleed_result = server_scan_result.scan_commands_results[ScanCommand.HEARTBLEED]
    print(f"Is vulnerable to Heartbleed: {heartbleed_result.is_vulnerable_to_heartbleed}")
  1. Checking TLS 1.3 support:
from sslyze import ServerNetworkLocation, ServerNetworkConfiguration, Scanner, ServerScanRequest, ScanCommand

server_location = ServerNetworkLocation("www.example.com", 443)
server_scan_req = ServerScanRequest(server_location=server_location, scan_commands={ScanCommand.TLS_1_3_CIPHER_SUITES})

scanner = Scanner()
scanner.queue_scan(server_scan_req)
for server_scan_result in scanner.get_results():
    tls_1_3_result = server_scan_result.scan_commands_results[ScanCommand.TLS_1_3_CIPHER_SUITES]
    print(f"Supports TLS 1.3: {tls_1_3_result.is_tls_1_3_supported}")

Getting Started

To get started with SSLyze, follow these steps:

  1. Install SSLyze using pip:

    pip install sslyze
    
  2. Import the necessary modules and create a basic scan:

    from sslyze import ServerNetworkLocation, Scanner, ServerScanRequest, ScanCommand
    
    server_location = ServerNetworkLocation("www.example.com", 443)
    server_scan_req = ServerScanRequest(server_location=server_location, scan_commands={ScanCommand.CERTIFICATE_INFO})
    
    scanner = Scanner()
    scanner.queue_scan(server_scan_req)
    for server_scan_result in scanner.get_results():
        print(server_scan_result)
    
  3. Run the script to perform a basic SSL scan on the target server.

Competitor Comparisons

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

Pros of cryptography

  • Comprehensive cryptographic library with a wide range of algorithms and protocols
  • Well-maintained with regular updates and strong community support
  • Provides both high-level recipes and low-level interfaces for cryptographic operations

Cons of cryptography

  • Steeper learning curve due to its extensive feature set
  • May be overkill for simple SSL/TLS analysis tasks
  • Requires more setup and configuration for specific use cases

Code Comparison

SSLyze (SSL/TLS scanning):

from sslyze import ServerNetworkLocationViaDirectConnection, ServerConnectivityTester, Scanner
from sslyze.plugins.certificate_info.implementation import CertificateInfoScanResult

server_location = ServerNetworkLocationViaDirectConnection("example.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
scanner = Scanner()
scan_result = scanner.run_scan_command(server_info, CertificateInfoScanResult)

cryptography (Certificate handling):

from cryptography import x509
from cryptography.hazmat.primitives import hashes

cert = x509.load_pem_x509_certificate(pem_data)
subject = cert.subject
issuer = cert.issuer
public_key = cert.public_key()
10,663

Scapy: the Python-based interactive packet manipulation program & library.

Pros of Scapy

  • More versatile, supporting a wide range of network protocols beyond SSL/TLS
  • Powerful packet manipulation and creation capabilities
  • Extensive community support and active development

Cons of Scapy

  • Steeper learning curve due to its broader scope
  • Less specialized for SSL/TLS analysis compared to SSLyze
  • May require more setup and configuration for specific SSL/TLS tasks

Code Comparison

SSLyze (focused on SSL/TLS scanning):

from sslyze import ServerNetworkLocationViaDirectConnection, ServerConnectivityTester, Scanner, ServerScanRequest
from sslyze.plugins.scan_commands import ScanCommand

server_location = ServerNetworkLocationViaDirectConnection("example.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
scanner = Scanner()
scan_request = ServerScanRequest(server_info=server_info, scan_commands={ScanCommand.CERTIFICATE_INFO})

Scapy (general-purpose packet manipulation):

from scapy.all import *

# Create a custom SSL/TLS packet
tls_packet = IP(dst="example.com")/TCP(dport=443)/TLS(type="client_hello")

# Send the packet and capture the response
response = sr1(tls_packet)

Testing TLS/SSL encryption anywhere on any port

Pros of testssl.sh

  • Written in Bash, making it highly portable and easy to run on various systems
  • Provides more comprehensive checks, including cipher suites, protocols, and server preferences
  • Offers a text-based output that's easy to read and parse

Cons of testssl.sh

  • Generally slower than sslyze due to its Bash implementation
  • Less modular structure, making it harder to extend or integrate into other tools
  • Limited multi-threading capabilities compared to sslyze

Code Comparison

testssl.sh:

#!/usr/bin/env bash
# testssl.sh - Testing TLS/SSL encryption anywhere on any port
TESTSSL_INSTALL_DIR="$(dirname "$0")"
PROG_NAME="$(basename "$0")"

sslyze:

from sslyze import ServerNetworkLocationViaDirectConnection, ServerConnectivityTester, Scanner
from sslyze.plugins.scan_commands import ScanCommand

server_location = ServerNetworkLocationViaDirectConnection("www.example.com", 443)

testssl.sh is a Bash script that can be run directly, while sslyze is a Python library that requires importing and using its classes and methods. testssl.sh's approach makes it easier to use as a standalone tool, while sslyze's structure allows for better integration into larger Python projects.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

SSLyze

Run Tests Downloads PyPI version Python version

SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings (certificate, cipher suites, elliptic curves, etc.), and that it is not vulnerable to known TLS attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).

Key features

  • Focus on speed and reliability: SSLyze is a battle-tested tool that is used to reliably scan hundreds of thousands of servers every day.
  • Easy to operationalize: SSLyze can be directly run from CI/CD, in order to continuously check a server against Mozilla's recommended TLS configuration.
  • Fully documented Python API to run scans directly from any Python application, such as a function deployed to AWS Lambda.
  • Support for scanning non-HTTP servers including SMTP, XMPP, LDAP, POP, IMAP, RDP, Postgres and FTP servers.
  • Results of a scan can easily be saved to a JSON file for later processing.
  • And much more!

Quick start

On Windows, Linux (x86 or x64) and macOS, SSLyze can be installed directly via pip:

$ pip install --upgrade pip setuptools wheel
$ pip install --upgrade sslyze
$ python -m sslyze www.yahoo.com www.google.com "[2607:f8b0:400a:807::2004]:443"

It can also be used via Docker:

$ docker run --rm -it nablac0d3/sslyze:6.0.0 www.google.com

Lastly, a pre-compiled Windows executable can be downloaded from the Releases page.

Python API Documentation

A sample script describing how to use the SSLyze's Python API is available at ./api_sample.py.

Full documentation for SSLyze's Python API is available here.

Usage as a CI/CD step

By default, SSLyze will check the server's scan results against Mozilla's recommended "intermediate" TLS configuration, and will return a non-zero exit code if the server is not compliant.

$ python -m sslyze mozilla.com
Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: OK - Compliant.

The Mozilla configuration to check against can be configured via --mozilla_config={old, intermediate, modern}:

$ python -m sslyze --mozilla_config=modern mozilla.com
Checking results against Mozilla's "modern" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: FAILED - Not compliant.
    * certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
    * certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
    * tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
    * ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.

This can be used to easily run an SSLyze scan as a CI/CD step.

Development environment

To setup a development environment:

$ pip install --upgrade pip setuptools wheel
$ pip install -e . 
$ pip install -r requirements-dev.txt

The tests can then be run using:

$ invoke test

License

Copyright (c) 2024 Alban Diquet

SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.