Skip to content

Home

Jump to bottom Edit New page
nabla-c0d3 edited this page Sep 19, 2012 · 19 revisions

Installation

Supported platforms are Windows 7, Linux and OS X Mountain Lion, both 32 and 64 bits. SSLyze requires Python 2.6 or 2.7 and OpenSSL 0.9.8+.

Linux and OS X Mountain Lion

Linux and OS X Mountain Lion users should download the source package available in the Downloads section of the project.

Windows

For Windows, OpenSSL 1.0.0c is part of the installation package. There is one package for Python 32 bits, and one for Python 64 bits. Those packages are available in the Downloads section of the project.

Other Platforms

Other platforms are not officially supported yet, but SSLyze might work anyway.

Usage

The following command line should be used:

$ python sslyze.py [options] www.target1.com www.target2.com:443

Several command line options are available detailed below.

Regular Scan

$ python sslyze.py --regular www.target1.com

This is what you'll want to use most of the time. It performs a regular HTTP scan. It's a shortcut for

--sslv2 --sslv3 --tlsv1 --reneg --resum --certinfo=basic --hide_rejected_ciphers --http_get

Command Line Options - SSLyze v0.4

OpenSSL Cipher Suites

  • --sslv2 --sslv3 --tlsv1 : Lists the SSL 2.0, 3.0 and TLS 1.0 OpenSSL cipher suites supported by the server.
  • --tlsv1_1 --tlsv1_2} : Lists the TLS 1.1 and 1.2 OpenSSL cipher suites supported by the server. Requires OpenSSL 1.0.1 or later.
  • --http_get : Option - For each cipher suite, sends an HTTP GET request after completing the SSL handshake and returns the HTTP status code.
  • --hide_rejected_ciphers : Option - Hides the (usually long) list of cipher suites that were rejected by the server.

Session Renegotiation

  • --reneg : Checks whether the server is vulnerable to insecure renegotiation. Requires OpenSSL 0.9.8m or later.

Session Resumption

  • --resum : Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077).
  • --resum_rate : Estimates the average rate of successful session resumptions by performing 100 ID-based session resumptions.

Server Certificate

  • --certinfo=basic : Verifies the server's certificate validity against Mozilla's trusted root store, and prints relevant fields of the certificate.
  • --certinfo=full : Verifies the server's certificate validity against Mozilla's trusted root store, and prints the full certificate.

StartTLS

  • --starttls=STARTTLS : Identifies the target server(s) as a SMTP or an XMPP server(s) and scans the server(s) using StartTLS. STARTTLS should be smtp or xmpp.
  • --xmpp_to : Optional setting for STARTTLS XMPP. XMPP_TO should be the hostname to be put in the 'to' attribute of the XMPP stream. Default is the server's hostname.

Client Authentication

Configures SSlyze to use a client certificate in case the server performs mutual authentication. The following options are required:

  • --cert=CERT : Client certificate filename.
  • --certform=CERTFORM : Client certificate format. DER or PEM (default).
  • --key=KEY : Client private key filename.
  • --keyform=KEYFORM : Client private key format. DER or PEM (default).
  • --pass=KEYPASS : Client private key passphrase.

HTTPS Proxy Tunneling

  • --https_tunnel=HTTPS_TUNNEL : Sets an HTTP CONNECT proxy to tunnel SSL traffic to the target server(s). HTTP_TUNNEL should be host:port. Requires Python 2.7

Connections Timeout

  • --timeout=TIMEOUT : Sets the timeout value in seconds used for every socket connection made to the target server(s). Default value is 5s, but should be increased if the network is slow.
Add a custom footer
Add a custom sidebar
Clone this wiki locally