Skip to content
nabla-c0d3 edited this page Sep 19, 2012 · 19 revisions

Installation

Supported platforms are Windows 7, Linux and OS X Mountain Lion, both 32 and 64 bits. SSLyze requires Python 2.6 or 2.7 and OpenSSL 0.9.8+.

Linux and OS X Mountain Lion

Linux and OS X Mountain Lion users should download the source package available in the Downloads section of the project.

Windows

For Windows, specific packages that include the OpenSSL DLLs are available in the Downloads section of the project. There is one package for Python 32 bits, and one for Python 64 bits.

Other Platforms

Other platforms are not officially supported yet, but SSLyze might work anyway.

Usage

The following command line should be used:

$ python sslyze.py [options] www.target1.com www.target2.com:443

Several command line options are available detailed below.

Regular Scan

$ python sslyze.py --regular www.target1.com

This is what you'll want to use most of the time. It performs a regular HTTP scan and is a shortcut for:

--sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 --compression --reneg --resum --certinfo=basic --hide_rejected_ciphers --http_get

If --regular is too intense for the server, try running each command separately.

Command Line Options - SSLyze v0.5

Miscellaneous

  • --xml_out=XML_FILE : Writes the scan results as an XML document to the file XML_FILE.
  • --targets_in=TARGETS_IN : Reads the list of targets to scan from the file TARGETS_IN. It should contain one host:port per line.
  • --https_tunnel=HTTPS_TUNNEL : Sets an HTTP CONNECT proxy to tunnel SSL traffic to the target server(s). HTTP_TUNNEL should be host:port. Requires Python 2.7
  • --timeout=TIMEOUT : Sets the timeout value in seconds used for every socket connection made to the target server(s). Default value is 5s, but should be increased if the network is slow.

OpenSSL Cipher Suites

  • --sslv2 --sslv3 --tlsv1 : Lists the SSL 2.0, 3.0 and TLS 1.0 OpenSSL cipher suites supported by the server.
  • --tlsv1_1 --tlsv1_2} : Lists the TLS 1.1 and 1.2 OpenSSL cipher suites supported by the server. Requires OpenSSL 1.0.1 or later.
  • --http_get : Option - For each cipher suite, sends an HTTP GET request after completing the SSL handshake and returns the HTTP status code.
  • --hide_rejected_ciphers : Option - Hides the (usually long) list of cipher suites that were rejected by the server.

Session Renegotiation

  • --reneg : Checks whether the server is vulnerable to insecure renegotiation. Requires OpenSSL 0.9.8m or later.

Session Resumption

  • --resum : Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077).
  • --resum_rate : Estimates the average rate of successful session resumptions by performing 100 ID-based session resumptions.

Compression

  • --compression : Tests the server for Zlib compression support.

Server Certificate

  • --certinfo=basic : Verifies the server's certificate validity against Mozilla's trusted root store, and prints relevant fields of the certificate.
  • --certinfo=full : Verifies the server's certificate validity against Mozilla's trusted root store, and prints the full certificate.

StartTLS

  • --starttls=STARTTLS : Identifies the target server(s) as a SMTP or an XMPP server(s) and scans the server(s) using StartTLS. STARTTLS should be smtp or xmpp.
  • --xmpp_to : Optional setting for STARTTLS XMPP. XMPP_TO should be the hostname to be put in the 'to' attribute of the XMPP stream. Default is the server's hostname.

Client Authentication

Configures SSlyze to use a client certificate in case the server performs mutual authentication. The following options are required:

  • --cert=CERT : Client certificate filename.
  • --certform=CERTFORM : Client certificate format. DER or PEM (default).
  • --key=KEY : Client private key filename.
  • --keyform=KEYFORM : Client private key format. DER or PEM (default).
  • --pass=KEYPASS : Client private key passphrase.
Clone this wiki locally