Aller au contenu
1337skills 1337skills - Aide-mémoires

SSLyze

SSLyze is a powerful Python library and command-line tool for scanning SSL/TLS configurations on remote servers. It performs fast, thorough security assessments, detects vulnerabilities, and outputs results in JSON format for automation and CI/CD integration.

Installation

Section intitulée « Installation »

Via pip

Section intitulée « Via pip »
pip install sslyze

From Source

Section intitulée « From Source »
git clone https://github.com/nabla-c0d3/sslyze.git
cd sslyze
pip install .

Verify Installation

Section intitulée « Verify Installation »
sslyze --version

Basic Scanning

Section intitulée « Basic Scanning »

Simple Full Scan

Section intitulée « Simple Full Scan »
sslyze example.com

Scan with Port

Section intitulée « Scan with Port »
sslyze example.com:443

Multiple Hosts

Section intitulée « Multiple Hosts »
sslyze example.com google.com cloudflare.com

Scan with Timeout

Section intitulée « Scan with Timeout »
sslyze --timeout 30 example.com

IPv6 Support

Section intitulée « IPv6 Support »
sslyze --ipv6 example.com

Scan Commands

Section intitulée « Scan Commands »

Certificate Information

Section intitulée « Certificate Information »
sslyze --certinfo basic example.com
CommandDescription
--certinfo basicDisplay basic certificate details
--certinfo fullDisplay full certificate analysis

Cipher Suites

Section intitulée « Cipher Suites »
sslyze --ciphers example.com

Checks all supported cipher suites and displays strength ratings (A+, A, B, C, D, F).

Supported Protocols

Section intitulée « Supported Protocols »
sslyze --protocols example.com

Detects supported SSL/TLS versions (SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3).

Heartbleed Vulnerability

Section intitulée « Heartbleed Vulnerability »
sslyze --heartbleed example.com

Tests for the OpenSSL Heartbleed vulnerability (CVE-2014-0160).

OpenSSL CCS Injection

Section intitulée « OpenSSL CCS Injection »
sslyze --openssl_ccs example.com

Tests for OpenSSL ChangeCipherSpec (CCS) injection vulnerability (CVE-2014-0224).

ROBOT Attack

Section intitulée « ROBOT Attack »
sslyze --robot example.com

Tests for ROBOT vulnerability affecting RSA encryption (CVE-2017-13099).

Session Resumption

Section intitulée « Session Resumption »
sslyze --resumption example.com

Tests for session resumption support (session tickets and session IDs).

TLS Compression

Section intitulée « TLS Compression »
sslyze --compression example.com

Checks for TLS compression support (vulnerable to CRIME attack).

OCSP Stapling

Section intitulée « OCSP Stapling »
sslyze --stapling example.com

Verifies OCSP stapling support for certificate status.

Renegotiation Support

Section intitulée « Renegotiation Support »
sslyze --reneg example.com

Tests for secure renegotiation and unsafe renegotiation support.

Combined Scans

Section intitulée « Combined Scans »

Run Multiple Tests

Section intitulée « Run Multiple Tests »
sslyze --ciphers --protocols --heartbleed --robot example.com

All Vulnerability Tests

Section intitulée « All Vulnerability Tests »
sslyze --heartbleed --openssl_ccs --robot --compression example.com

Full Assessment

Section intitulée « Full Assessment »
sslyze --certinfo full --ciphers --protocols --heartbleed --openssl_ccs --robot --resumption --compression --stapling --reneg example.com

JSON Output

Section intitulée « JSON Output »

Export Results to JSON

Section intitulée « Export Results to JSON »
sslyze --json example.com > results.json

Pretty-Print JSON

Section intitulée « Pretty-Print JSON »
sslyze --json example.com | jq .

JSON Output with Timestamp

Section intitulée « JSON Output with Timestamp »
sslyze --json example.com > "scan_$(date +%Y%m%d_%H%M%S).json"

Parse JSON Results

Section intitulée « Parse JSON Results »
sslyze --json example.com | jq '.server_scan_result'

Filter specific vulnerability:

sslyze --json example.com | jq '.server_scan_result.heartbleed'

Python API Usage

Section intitulée « Python API Usage »

Basic Library Import

Section intitulée « Basic Library Import »
from sslyze import Scanner, ServerNetworkLocation

scanner = Scanner()
server = ServerNetworkLocation("example.com", 443)
results = scanner.scan(server)
print(results)

Scan with Specific Tests

Section intitulée « Scan with Specific Tests »
from sslyze import Scanner, ServerNetworkLocation
from sslyze.scan_commands import ScanCommand

scanner = Scanner()
server = ServerNetworkLocation("example.com")

# Run specific commands
scan_request = ScanRequest(
    server_location=server,
    scan_commands={
        ScanCommand.CERTIFICATE_INFO,
        ScanCommand.CIPHERS,
        ScanCommand.PROTOCOLS,
        ScanCommand.HEARTBLEED,
    }
)
results = scanner.run_scan_in_processes(scan_request, nb_processes=5)

Parse Results Programmatically

Section intitulée « Parse Results Programmatically »
from sslyze import Scanner, ServerNetworkLocation

scanner = Scanner()
server = ServerNetworkLocation("example.com")
results = scanner.scan(server)

# Check for vulnerabilities
for scan in results.scan_commands_results:
    if scan.vulnerable_to_heartbleed:
        print("VULNERABLE to Heartbleed!")

Custom Timeout Configuration

Section intitulée « Custom Timeout Configuration »
from sslyze import Scanner, ServerNetworkLocation
import socket

scanner = Scanner(timeout=30)  # 30 second timeout
server = ServerNetworkLocation("example.com")
results = scanner.scan(server)

CI/CD Integration

Section intitulée « CI/CD Integration »

GitLab CI Example

Section intitulée « GitLab CI Example »
ssl_scan:
  image: python:3.11
  script:
    - pip install sslyze
    - sslyze --json $CI_SERVER_HOST > results.json
    - |
      if grep -q '"VULNERABLE"' results.json; then
        echo "Vulnerabilities detected!"
        exit 1
      fi
  artifacts:
    paths:
      - results.json

GitHub Actions Example

Section intitulée « GitHub Actions Example »
name: SSL/TLS Security Scan
on: [push]
jobs:
  sslyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - run: pip install sslyze
      - run: sslyze --json example.com > results.json
      - run: |
          if grep -q '"VULNERABLE"' results.json; then
            echo "SSL/TLS vulnerabilities found!"
            exit 1
          fi
      - uses: actions/upload-artifact@v3
        with:
          name: ssl-scan-results
          path: results.json

Jenkins Pipeline Example

Section intitulée « Jenkins Pipeline Example »
pipeline {
    agent any
    stages {
        stage('SSL Scan') {
            steps {
                sh '''
                    python -m pip install sslyze
                    sslyze --json example.com > sslyze_results.json
                '''
            }
        }
        stage('Parse Results') {
            steps {
                sh '''
                    if grep -q '"VULNERABLE"' sslyze_results.json; then
                        echo "SSL/TLS vulnerabilities detected!"
                        exit 1
                    fi
                '''
            }
        }
    }
}

Compliance Checks

Section intitulée « Compliance Checks »

PCI DSS Compliance

Section intitulée « PCI DSS Compliance »
sslyze --protocols --ciphers --certinfo full --heartbleed \
       --openssl_ccs --robot --reneg example.com

Key checks:

  • TLSv1.2 or higher required
  • Strong ciphers (grade A or higher)
  • Secure renegotiation enabled
  • No weak protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

HIPAA Compliance

Section intitulée « HIPAA Compliance »
sslyze --certinfo full --protocols --ciphers --compression example.com

Requirements:

  • Valid certificate chain
  • TLSv1.2 minimum
  • No TLS compression
  • Strong encryption algorithms

OWASP Top 10 - Vulnerable Transport

Section intitulée « OWASP Top 10 - Vulnerable Transport »
sslyze --protocols --ciphers --heartbleed --robot example.com

Validates against insecure TLS configuration vulnerabilities.

Batch Scanning

Section intitulée « Batch Scanning »

Scan Multiple Hosts from File

Section intitulée « Scan Multiple Hosts from File »
cat hosts.txt | xargs -I {} sslyze --json {} > {}_results.json

Batch Script with Error Handling

Section intitulée « Batch Script with Error Handling »
#!/bin/bash
for host in $(cat hosts.txt); do
    echo "Scanning $host..."
    sslyze --json "$host" > "${host}_results.json" 2>&1 || \
        echo "Error scanning $host" >> errors.log
done

Parallel Scanning

Section intitulée « Parallel Scanning »
cat hosts.txt | parallel sslyze --json {} '>' {}_results.json

Tool Comparison

Section intitulée « Tool Comparison »
FeatureSSLyzeSSLScanTestssl.sh
LanguagePythonC/OpenSSLBash
SpeedVery FastMediumSlower
JSON OutputYesLimitedYes
Python APIYesNoNo
STARTTLS SupportYesYesYes
Custom CiphersYesYesYes
Update FrequencyActiveLess ActiveVery Active
DocumentationGoodGoodExcellent
CI/CD IntegrationExcellentGoodGood
Resource UsageLowMediumMedium
Cross-PlatformYesYesYes

Choose SSLyze for: Fast automated scanning, CI/CD integration, JSON parsing, Python automation.

Choose SSLScan for: Simple CLI scanning, minimal dependencies.

Choose Testssl.sh for: Most comprehensive checks, edge-case coverage, detailed reporting.

Common Use Cases

Section intitulée « Common Use Cases »

Quick Vulnerability Check

Section intitulée « Quick Vulnerability Check »
sslyze --heartbleed --robot --openssl_ccs example.com

Export for Reporting

Section intitulée « Export for Reporting »
sslyze --json --certinfo full example.com | jq '.' > report.json

Monitor Certificate Expiration

Section intitulée « Monitor Certificate Expiration »
sslyze --certinfo basic example.com | grep "Not After"

Verify TLS 1.3 Support

Section intitulée « Verify TLS 1.3 Support »
sslyze --protocols example.com | grep TLSv1.3

Check OCSP Stapling

Section intitulée « Check OCSP Stapling »
sslyze --stapling example.com

Audit Cipher Strength

Section intitulée « Audit Cipher Strength »
sslyze --ciphers example.com | grep -i "grade: [D-F]"

Tips and Tricks

Section intitulée « Tips and Tricks »

Suppress Errors for Missing Features

Section intitulée « Suppress Errors for Missing Features »
sslyze --openssl_ccs example.com 2>/dev/null

Output to Syslog

Section intitulée « Output to Syslog »
sslyze example.com 2>&1 | logger -t sslyze

Store Results with Metadata

Section intitulée « Store Results with Metadata »
sslyze --json example.com | \
    jq --arg date "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
       '{timestamp: $date, results: .}' > scan.json

Create Scan Report

Section intitulée « Create Scan Report »
sslyze --json --certinfo full example.com | \
    jq '.[] | {host: .server, protocols: .protocols, ciphers: .ciphers}' \
    > host_report.json

Continuous Compliance Monitoring

Section intitulée « Continuous Compliance Monitoring »
#!/bin/bash
hosts=("example.com" "api.example.com" "cdn.example.com")
for host in "${hosts[@]}"; do
    sslyze --json "$host" > "/var/log/ssl-scans/${host}_$(date +%Y%m%d).json"
done

Performance Optimization

Section intitulée « Performance Optimization »

Increase Worker Processes

Section intitulée « Increase Worker Processes »
sslyze --max_workers 10 example.com

Disable IPv6 for Speed

Section intitulée « Disable IPv6 for Speed »
sslyze --no-ipv6 example.com

Skip Specific Tests

Section intitulée « Skip Specific Tests »
sslyze --ciphers --protocols example.com

(Skipping unnecessary tests speeds up scanning)

Security Considerations

Section intitulée « Security Considerations »
  • Rate Limiting: SSLyze respects server limits; reduce workers if getting timeouts
  • Network Impact: Multiple concurrent scans can strain network; monitor bandwidth
  • Log Sensitive Data: JSON output may contain certificate details; handle securely
  • Updates: Keep SSLyze updated for latest vulnerability signatures
  • Scanning Permissions: Always obtain authorization before scanning external systems