Skip to content

Home

Jump to bottom Edit New page
nabla-c0d3 edited this page Jan 19, 2013 · 19 revisions

FAQ

FAQ

Changelog

Changelog

Usage

The following command line should be used:

$ python sslyze.py [options] www.target1.com www.target2.com:443

Several command line options are available detailed below.

Regular Scan

$ python sslyze.py --regular www.target1.com

This is what you'll want to use most of the time. It performs a regular HTTP scan and is a shortcut for:

--sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 --compression --reneg --resum --certinfo=basic --hide_rejected_ciphers --http_get

If --regular is too intense for the server, try running each command separately.

Detailed Command Line Options - SSLyze v0.6

Security Testing

Supported Cipher Suites

  • --sslv2 --sslv3 --tlsv1 : Lists the SSL 2.0, 3.0 and TLS 1.0 OpenSSL cipher suites supported by the server.
  • --tlsv1_1 --tlsv1_2} : Lists the TLS 1.1 and 1.2 OpenSSL cipher suites supported by the server. Requires OpenSSL 1.0.1 or later.
  • --http_get : Option - For each cipher suite, sends an HTTP GET request after completing the SSL handshake and returns the HTTP status code.
  • --hide_rejected_ciphers : Option - Hides the (usually long) list of cipher suites that were rejected by the server.

Session Renegotiation

Compression

  • --compression : Tests the server for Zlib compression support. See CRIME.

Server Certificate

  • --certinfo=basic : Verifies the server's certificate validity against Mozilla's trusted root store, and prints relevant fields of the certificate.
  • --certinfo=full : Verifies the server's certificate validity against Mozilla's trusted root store, and prints the full certificate.

Performance Testing

Session Resumption

  • --resum : Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077).
  • --resum_rate : Estimates the average rate of successful session resumptions by performing 100 ID-based session resumptions.

Miscellaneous

  • --xml_out=XML_FILE : Writes the scan results as an XML document to the file XML_FILE.
  • --targets_in=TARGETS_IN : Reads the list of targets to scan from the file TARGETS_IN. It should contain one host:port per line.
  • --https_tunnel=HTTPS_TUNNEL : Sets an HTTP CONNECT proxy to tunnel SSL traffic to the target server(s). HTTP_TUNNEL should be host:port. Requires Python 2.7
  • --timeout=TIMEOUT : Sets the timeout value in seconds used for every socket connection made to the target server(s). Default value is 5s, but should be increased if the network is slow.
  • --sni=SNI : Use Server Name Indication to specify the hostname to connect to. Will only affect TLS 1.0+ connections.

StartTLS

  • --starttls=STARTTLS : Identifies the target server(s) as a SMTP or an XMPP server(s) and scans the server(s) using StartTLS. STARTTLS should be smtp or xmpp.
  • --xmpp_to : Optional setting for STARTTLS XMPP. XMPP_TO should be the hostname to be put in the 'to' attribute of the XMPP stream. Default is the server's hostname.

Client Authentication

Configures SSlyze to use a client certificate in case the server performs mutual authentication. The following options are required:

  • --cert=CERT : Client certificate filename.
  • --certform=CERTFORM : Client certificate format. DER or PEM (default).
  • --key=KEY : Client private key filename.
  • --keyform=KEYFORM : Client private key format. DER or PEM (default).
  • --pass=KEYPASS : Client private key passphrase.
Add a custom footer
Add a custom sidebar
Clone this wiki locally