ssllabs-scan
A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
Top Related Projects
Testing TLS/SSL encryption anywhere on any port
Fast and powerful SSL/TLS scanning library.
sslscan tests SSL/TLS enabled services to discover supported cipher suites
My simple Swiss Army knife for http/https troubleshooting and profiling.
Nmap - the Network Mapper. Github mirror of official SVN repository.
Quick Overview
SSLLabs-scan is a command-line tool for analyzing SSL/TLS configurations of web servers. It uses the SSL Labs API to perform comprehensive security assessments, providing detailed information about SSL/TLS implementation, certificate validity, and potential vulnerabilities.
Pros
- Provides in-depth analysis of SSL/TLS configurations
- Supports batch scanning of multiple hosts
- Offers various output formats (text, JSON, CSV)
- Regularly updated to include the latest security checks
Cons
- Requires an active internet connection to perform scans
- May be rate-limited by the SSL Labs API
- Can be slow for scanning a large number of hosts
- Limited customization options for scan parameters
Getting Started
- Install Go (if not already installed)
- Clone the repository:
git clone https://github.com/ssllabs/ssllabs-scan.git
- Build the project:
cd ssllabs-scan go build
- Run a scan:
./ssllabs-scan www.example.com
For more options and advanced usage, refer to the project's README file.
Competitor Comparisons
Testing TLS/SSL encryption anywhere on any port
Pros of testssl.sh
- Runs locally without relying on external services
- More comprehensive tests, including cipher suites and protocol support
- Highly customizable with numerous command-line options
Cons of testssl.sh
- Requires local installation and dependencies
- May be more complex for casual users
- Results can be more technical and harder to interpret
Code Comparison
testssl.sh:
#!/usr/bin/env bash
# testssl.sh - Testing TLS/SSL encryption
TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"$(dirname "$0")"}"
OPENSSL="${OPENSSL:-openssl}"
HEXDUMP="${HEXDUMP:-hexdump}"
ssllabs-scan:
package main
import (
"fmt"
"os"
"github.com/ssllabs/ssllabs-scan/v3"
)
func main() {
// Main logic here
}
The code snippets show that testssl.sh is written in Bash, making it easily portable and modifiable, while ssllabs-scan is written in Go, potentially offering better performance but requiring compilation.
Fast and powerful SSL/TLS scanning library.
Pros of sslyze
- Written in Python, making it more accessible for scripting and integration
- Offers more detailed and customizable scanning options
- Actively maintained with regular updates and new features
Cons of sslyze
- May require more setup and configuration compared to ssllabs-scan
- Can be slower for scanning multiple hosts due to its comprehensive approach
- Lacks the cloud-based infrastructure and global perspective of SSL Labs
Code Comparison
sslyze:
from sslyze import ServerNetworkLocationViaDirectConnection, ServerConnectivityTester, Scanner
from sslyze.plugins.certificate_info.implementation import CertificateInfoScanResult
server_location = ServerNetworkLocationViaDirectConnection("example.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
scanner = Scanner()
scan_result = scanner.run_scan_command(server_info, CertificateInfoScanResult)
ssllabs-scan:
./ssllabs-scan -grade -usecache example.com
The sslyze code snippet demonstrates its more programmatic approach, allowing for fine-grained control over the scanning process. In contrast, ssllabs-scan offers a simpler command-line interface, making it easier to use for quick assessments but less flexible for custom integrations.
sslscan tests SSL/TLS enabled services to discover supported cipher suites
Pros of sslscan
- Lightweight and fast, suitable for quick scans
- Supports scanning multiple hosts simultaneously
- Can be easily integrated into automated testing pipelines
Cons of sslscan
- Less comprehensive analysis compared to ssllabs-scan
- May not detect some advanced vulnerabilities or misconfigurations
- Limited reporting options and customization
Code comparison
sslscan:
int main(int argc, char *argv[])
{
struct sslCheckOptions options;
memset(&options, 0, sizeof(struct sslCheckOptions));
options.host = NULL;
options.port = 0;
ssllabs-scan:
func main() {
var conf config
flag.StringVar(&conf.apiURL, "api", "https://api.ssllabs.com/api/v3", "API entry point")
flag.StringVar(&conf.grade, "grade", "", "Minimum grade")
flag.BoolVar(&conf.usecache, "usecache", false, "Use cached results (if available)")
The code snippets show that sslscan is written in C, while ssllabs-scan is written in Go. sslscan's main function focuses on initializing options for the SSL check, while ssllabs-scan's main function sets up configuration flags for interacting with the SSL Labs API.
My simple Swiss Army knife for http/https troubleshooting and profiling.
Pros of htrace.sh
- Lightweight and portable, written in Bash
- Provides detailed HTTP/HTTPS analysis beyond SSL/TLS
- Offers customizable output formats and verbosity levels
Cons of htrace.sh
- Less comprehensive SSL/TLS analysis compared to ssllabs-scan
- May require additional dependencies for full functionality
- Limited to command-line interface, lacking GUI options
Code Comparison
htrace.sh:
_get_http_headers() {
local _host="$1"
local _port="$2"
local _ssl="$3"
local _cmd=""
local _timeout="$_timeout"
ssllabs-scan:
func newCheck() *Check {
c := &Check{
Bundle: &Bundle{},
Certs: []*x509.Certificate{},
Chains: [][]*x509.Certificate{},
Protocols: []*Protocol{},
Suites: []*Suite{},
ServerName: "",
Key Differences
- htrace.sh focuses on HTTP/HTTPS analysis with some SSL/TLS capabilities
- ssllabs-scan specializes in comprehensive SSL/TLS assessment
- htrace.sh is written in Bash, while ssllabs-scan is written in Go
- ssllabs-scan leverages Qualys SSL Labs API for in-depth SSL/TLS analysis
- htrace.sh offers more flexibility for general web server diagnostics
Both tools serve different purposes, with htrace.sh being more versatile for general HTTP/HTTPS diagnostics and ssllabs-scan excelling in detailed SSL/TLS analysis.
Nmap - the Network Mapper. Github mirror of official SVN repository.
Pros of nmap
- Broader functionality: Nmap is a comprehensive network scanning and discovery tool, offering a wide range of features beyond SSL/TLS analysis
- Active community: Nmap has a large, active community contributing to its development and providing support
- Extensibility: Supports scripting engine (NSE) for custom functionality
Cons of nmap
- Steeper learning curve: Nmap's extensive features can be overwhelming for beginners
- Less specialized: While capable of SSL/TLS scanning, it's not as focused or in-depth as ssllabs-scan for this specific task
Code comparison
ssllabs-scan:
func analyzeHost(host string, startNew bool, fromCache string, maxAge int, ignoreMismatch bool, insecure bool) (*HostData, error) {
// SSL Labs-specific API calls and analysis
}
nmap:
local shortport = require "shortport"
local sslcert = require "sslcert"
local stdnse = require "stdnse"
portrule = shortport.ssl
action = function(host, port)
-- Nmap SSL/TLS scanning logic
end
The code snippets illustrate the different approaches:
- ssllabs-scan uses Go and focuses on interacting with SSL Labs API
- nmap uses Lua scripting for SSL/TLS scanning as part of its broader functionality
Both tools are valuable for security assessments, with ssllabs-scan specializing in SSL/TLS analysis and nmap offering a more comprehensive network scanning solution.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
ssllabs-scan
This tool is a command-line client for the SSL Labs APIs, designed for automated and/or bulk testing.
If you'd like to contribute, please have a look at the TODO file. For larger work, please get in touch first. For smaller work (there are some TODO comments in the source code), feel free to submit pull requests.
To report a problem related to this tool, please create a new issue on GitHub: https://github.com/ssllabs/ssllabs-scan/issues Please don't send bug reports to the community.
To discuss the API and the development of the reference client implementation and other questions not related to this command line tool, please join the SSL Labs community: https://community.qualys.com/community/ssllabs
Before you use this tool please review the terms and conditions, which can be found here: https://www.ssllabs.com/about/terms.html
Deprecated clients are now available at deprecated-clients
Requirements
- Go >= 1.3
Usage
SYNOPSIS
If you're using API v4 for the first time then please use the ssllabs-scan-v4-register
ssllabs-scan-v4-register --firstName John --lastName Doe --organization Example --email johndoe@example.com
ssllabs-scan-v4 [options] --email johndoe@example.com hostname
ssllabs-scan-v4 [options] --email johndoe@example.com --hostfile file
OPTIONS ssllabs-scan-v4.go
Option | Default value | Description |
---|---|---|
--api | BUILTIN | API entry point, for example https://www.example.com/api/ |
--verbosity | info | Configure log verbosity: error, info, debug, or trace |
--quiet | false | Disable status messages (logging) |
--ignore-mismatch | false | Proceed with assessments on certificate mismatch |
--json-flat | false | Output results in flattened JSON format |
--hostfile | none | File containing hosts to scan (one per line) |
--usecache | false | If true, accept cached results (if available), else force live scan |
--grade | false | Output only the hostname: grade |
--hostcheck | false | If true, host resolution failure will result in a fatal error |
"" | Registered organization email for API v4 (required) |
Option | Default value | Description |
---|---|---|
--firstName | "" | First name of the user |
--lastName | "" | Last name of the user |
--organization | "" | Organization of the user |
"" | Organization email of the user | |
--registerApiUrl | BUILTIN | Register API entry point, for example https://www.example.com/api/register |
Third-Party Tools and Libraries
A list of libraries and tools that rely on the SSL Labs APIs can be found on the SSL Labs web site: https://www.ssllabs.com/projects/ssllabs-apis/
Docker
Docker images for this project are available at:
Top Related Projects
Testing TLS/SSL encryption anywhere on any port
Fast and powerful SSL/TLS scanning library.
sslscan tests SSL/TLS enabled services to discover supported cipher suites
My simple Swiss Army knife for http/https troubleshooting and profiling.
Nmap - the Network Mapper. Github mirror of official SVN repository.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot