SSLyze

SSLyze is a powerful Python library and command-line tool for scanning SSL/TLS configurations on remote servers. It performs fast, thorough security assessments, detects vulnerabilities, and outputs results in JSON format for automation and CI/CD integration.

Installation

Via pip

pip install sslyze

From Source

git clone https://github.com/nabla-c0d3/sslyze.git
cd sslyze
pip install .

Verify Installation

sslyze --version

Basic Scanning

Simple Full Scan

sslyze example.com

Scan with Port

sslyze example.com:443

Multiple Hosts

sslyze example.com google.com cloudflare.com

Scan with Timeout

sslyze --timeout 30 example.com

IPv6 Support

sslyze --ipv6 example.com

Scan Commands

Certificate Information

sslyze --certinfo basic example.com

Command	Description
--certinfo basic	Display basic certificate details
--certinfo full	Display full certificate analysis

Cipher Suites

sslyze --ciphers example.com

Checks all supported cipher suites and displays strength ratings (A+, A, B, C, D, F).

Supported Protocols

sslyze --protocols example.com

Detects supported SSL/TLS versions (SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3).

Heartbleed Vulnerability

sslyze --heartbleed example.com

Tests for the OpenSSL Heartbleed vulnerability (CVE-2014-0160).

OpenSSL CCS Injection

sslyze --openssl_ccs example.com

Tests for OpenSSL ChangeCipherSpec (CCS) injection vulnerability (CVE-2014-0224).

ROBOT Attack

sslyze --robot example.com

Tests for ROBOT vulnerability affecting RSA encryption (CVE-2017-13099).

Session Resumption

sslyze --resumption example.com

Tests for session resumption support (session tickets and session IDs).

TLS Compression

sslyze --compression example.com

Checks for TLS compression support (vulnerable to CRIME attack).

OCSP Stapling

sslyze --stapling example.com

Verifies OCSP stapling support for certificate status.

Renegotiation Support

sslyze --reneg example.com

Tests for secure renegotiation and unsafe renegotiation support.

Combined Scans

Run Multiple Tests

sslyze --ciphers --protocols --heartbleed --robot example.com

All Vulnerability Tests

sslyze --heartbleed --openssl_ccs --robot --compression example.com

Full Assessment

sslyze --certinfo full --ciphers --protocols --heartbleed --openssl_ccs --robot --resumption --compression --stapling --reneg example.com

JSON Output

Export Results to JSON

sslyze --json example.com > results.json

Pretty-Print JSON

sslyze --json example.com | jq .

JSON Output with Timestamp

sslyze --json example.com > "scan_$(date +%Y%m%d_%H%M%S).json"

Parse JSON Results

sslyze --json example.com | jq '.server_scan_result'

Filter specific vulnerability:

sslyze --json example.com | jq '.server_scan_result.heartbleed'

Python API Usage

Basic Library Import

from sslyze import Scanner, ServerNetworkLocation

scanner = Scanner()
server = ServerNetworkLocation("example.com", 443)
results = scanner.scan(server)
print(results)

Scan with Specific Tests

from sslyze import Scanner, ServerNetworkLocation
from sslyze.scan_commands import ScanCommand

scanner = Scanner()
server = ServerNetworkLocation("example.com")

# Run specific commands
scan_request = ScanRequest(
    server_location=server,
    scan_commands={
        ScanCommand.CERTIFICATE_INFO,
        ScanCommand.CIPHERS,
        ScanCommand.PROTOCOLS,
        ScanCommand.HEARTBLEED,
    }
)
results = scanner.run_scan_in_processes(scan_request, nb_processes=5)

Parse Results Programmatically

from sslyze import Scanner, ServerNetworkLocation

scanner = Scanner()
server = ServerNetworkLocation("example.com")
results = scanner.scan(server)

# Check for vulnerabilities
for scan in results.scan_commands_results:
    if scan.vulnerable_to_heartbleed:
        print("VULNERABLE to Heartbleed!")

Custom Timeout Configuration

from sslyze import Scanner, ServerNetworkLocation
import socket

scanner = Scanner(timeout=30)  # 30 second timeout
server = ServerNetworkLocation("example.com")
results = scanner.scan(server)

CI/CD Integration

GitLab CI Example

ssl_scan:
  image: python:3.11
  script:
    - pip install sslyze
    - sslyze --json $CI_SERVER_HOST > results.json
    - |
      if grep -q '"VULNERABLE"' results.json; then
        echo "Vulnerabilities detected!"
        exit 1
      fi
  artifacts:
    paths:
      - results.json

GitHub Actions Example

name: SSL/TLS Security Scan
on: [push]
jobs:
  sslyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - run: pip install sslyze
      - run: sslyze --json example.com > results.json
      - run: |
          if grep -q '"VULNERABLE"' results.json; then
            echo "SSL/TLS vulnerabilities found!"
            exit 1
          fi
      - uses: actions/upload-artifact@v3
        with:
          name: ssl-scan-results
          path: results.json

Jenkins Pipeline Example

pipeline {
    agent any
    stages {
        stage('SSL Scan') {
            steps {
                sh '''
                    python -m pip install sslyze
                    sslyze --json example.com > sslyze_results.json
                '''
            }
        }
        stage('Parse Results') {
            steps {
                sh '''
                    if grep -q '"VULNERABLE"' sslyze_results.json; then
                        echo "SSL/TLS vulnerabilities detected!"
                        exit 1
                    fi
                '''
            }
        }
    }
}

Compliance Checks

PCI DSS Compliance

sslyze --protocols --ciphers --certinfo full --heartbleed \
       --openssl_ccs --robot --reneg example.com

Key checks:

• TLSv1.2 or higher required
• Strong ciphers (grade A or higher)
• Secure renegotiation enabled
• No weak protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

HIPAA Compliance

sslyze --certinfo full --protocols --ciphers --compression example.com

Requirements:

• Valid certificate chain
• TLSv1.2 minimum
• No TLS compression
• Strong encryption algorithms

OWASP Top 10 - Vulnerable Transport

sslyze --protocols --ciphers --heartbleed --robot example.com

Validates against insecure TLS configuration vulnerabilities.

Batch Scanning

Scan Multiple Hosts from File

cat hosts.txt | xargs -I {} sslyze --json {} > {}_results.json

Batch Script with Error Handling

#!/bin/bash
for host in $(cat hosts.txt); do
    echo "Scanning $host..."
    sslyze --json "$host" > "${host}_results.json" 2>&1 || \
        echo "Error scanning $host" >> errors.log
done

Parallel Scanning

cat hosts.txt | parallel sslyze --json {} '>' {}_results.json

Tool Comparison

Feature	SSLyze	SSLScan	Testssl.sh
Language	Python	C/OpenSSL	Bash
Speed	Very Fast	Medium	Slower
JSON Output	Yes	Limited	Yes
Python API	Yes	No	No
STARTTLS Support	Yes	Yes	Yes
Custom Ciphers	Yes	Yes	Yes
Update Frequency	Active	Less Active	Very Active
Documentation	Good	Good	Excellent
CI/CD Integration	Excellent	Good	Good
Resource Usage	Low	Medium	Medium
Cross-Platform	Yes	Yes	Yes

Choose SSLyze for: Fast automated scanning, CI/CD integration, JSON parsing, Python automation.

Choose SSLScan for: Simple CLI scanning, minimal dependencies.

Choose Testssl.sh for: Most comprehensive checks, edge-case coverage, detailed reporting.

Common Use Cases

Quick Vulnerability Check

sslyze --heartbleed --robot --openssl_ccs example.com

Export for Reporting

sslyze --json --certinfo full example.com | jq '.' > report.json

Monitor Certificate Expiration

sslyze --certinfo basic example.com | grep "Not After"

Verify TLS 1.3 Support

sslyze --protocols example.com | grep TLSv1.3

Check OCSP Stapling

sslyze --stapling example.com

Audit Cipher Strength

sslyze --ciphers example.com | grep -i "grade: [D-F]"

Tips and Tricks

Suppress Errors for Missing Features

sslyze --openssl_ccs example.com 2>/dev/null

Output to Syslog

sslyze example.com 2>&1 | logger -t sslyze

Store Results with Metadata

sslyze --json example.com | \
    jq --arg date "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
       '{timestamp: $date, results: .}' > scan.json

Create Scan Report

sslyze --json --certinfo full example.com | \
    jq '.[] | {host: .server, protocols: .protocols, ciphers: .ciphers}' \
    > host_report.json

Continuous Compliance Monitoring

#!/bin/bash
hosts=("example.com" "api.example.com" "cdn.example.com")
for host in "${hosts[@]}"; do
    sslyze --json "$host" > "/var/log/ssl-scans/${host}_$(date +%Y%m%d).json"
done

Performance Optimization

Increase Worker Processes

sslyze --max_workers 10 example.com

Disable IPv6 for Speed

sslyze --no-ipv6 example.com

Skip Specific Tests

sslyze --ciphers --protocols example.com

(Skipping unnecessary tests speeds up scanning)

Security Considerations

• Rate Limiting: SSLyze respects server limits; reduce workers if getting timeouts
• Network Impact: Multiple concurrent scans can strain network; monitor bandwidth
• Log Sensitive Data: JSON output may contain certificate details; handle securely
• Updates: Keep SSLyze updated for latest vulnerability signatures
• Scanning Permissions: Always obtain authorization before scanning external systems