Fast and powerful SSL/TLS server scanning library
Project description
SSLyze
Fast and powerful SSL/TLS server scanning library for Python 3.6+.
Description
SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL/TLS servers.
Key features include:
- Fully documented Python API, in order to run scans and process the results directly from Python.
- New: Support for TLS 1.3 and early data testing.
- Scans are automatically dispatched among multiple processes, making them very fast.
- Performance testing: session resumption and TLS tickets support.
- Security testing: weak cipher suites, insecure renegotiation, ROBOT, Heartbleed and more.
- Server certificate validation and revocation checking through OCSP stapling.
- Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
- Scan results can be written to an XML or JSON file for further processing.
- And much more!
Usage as a CLI
SSLyze can be installed directly via pip:
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular www.yahoo.com:443 www.google.com "[2607:f8b0:400a:807::2004]:443"
SSLyze has been tested on the following platforms: Windows 10 (32 and 64 bits), Debian 7 (32 and 64 bits), macOS Sierra.
Usage as a library
SSLyze exposes a Python API in order to run scans and process the results directly in Python; full documentation is available here.
Dev environment
If you want to setup a local environment where you can work on SSLyze, you will first need to install pipenv. Then, the environment can initialized using:
$ cd sslyze
$ pipenv install --dev
$ pivenv shell
You can then run the test suite:
$ invoke test
Windows executable
A Windows executable that does not require installing Python is available in the Releases page tab.
How does it work ?
SSLyze is all Python code but it uses an OpenSSL wrapper written in C called nassl, which was specifically developed for allowing SSLyze to access the low-level OpenSSL APIs needed to perform deep SSL testing.
Where do the trust stores come from?
The trust stores (Mozilla, Microsoft, etc.) used by SSLyze for certificate validation are downloaded from the Trust Stores Observatory.
The trust stores can be updated to the latest version, using either the CLI:
$ python -m sslyze --update_trust_stores
or the Python API:
from sslyze.plugins.utils.trust_store.trust_store_repository import TrustStoresRepository
TrustStoresRepository.update_default()
License
Copyright (c) 2018 Alban Diquet
SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
