SSLyze
SSLyze is a powerful Python library and command-line tool for scanning SSL/TLS configurations on remote servers. It performs fast, thorough security assessments, detects vulnerabilities, and outputs results in JSON format for automation and CI/CD integration.
Installation
Via pip
pip install sslyzeFrom Source
git clone https://github.com/nabla-c0d3/sslyze.git
cd sslyze
pip install .Verify Installation
sslyze --versionBasic Scanning
Simple Full Scan
sslyze example.comScan with Port
sslyze example.com:443Multiple Hosts
sslyze example.com google.com cloudflare.comScan with Timeout
sslyze --timeout 30 example.comIPv6 Support
sslyze --ipv6 example.comScan Commands
Certificate Information
sslyze --certinfo basic example.com| Command | Description |
|---|---|
--certinfo basic | Display basic certificate details |
--certinfo full | Display full certificate analysis |
Cipher Suites
sslyze --ciphers example.comChecks all supported cipher suites and displays strength ratings (A+, A, B, C, D, F).
Supported Protocols
sslyze --protocols example.comDetects supported SSL/TLS versions (SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3).
Heartbleed Vulnerability
sslyze --heartbleed example.comTests for the OpenSSL Heartbleed vulnerability (CVE-2014-0160).
OpenSSL CCS Injection
sslyze --openssl_ccs example.comTests for OpenSSL ChangeCipherSpec (CCS) injection vulnerability (CVE-2014-0224).
ROBOT Attack
sslyze --robot example.comTests for ROBOT vulnerability affecting RSA encryption (CVE-2017-13099).
Session Resumption
sslyze --resumption example.comTests for session resumption support (session tickets and session IDs).
TLS Compression
sslyze --compression example.comChecks for TLS compression support (vulnerable to CRIME attack).
OCSP Stapling
sslyze --stapling example.comVerifies OCSP stapling support for certificate status.
Renegotiation Support
sslyze --reneg example.comTests for secure renegotiation and unsafe renegotiation support.
Combined Scans
Run Multiple Tests
sslyze --ciphers --protocols --heartbleed --robot example.comAll Vulnerability Tests
sslyze --heartbleed --openssl_ccs --robot --compression example.comFull Assessment
sslyze --certinfo full --ciphers --protocols --heartbleed --openssl_ccs --robot --resumption --compression --stapling --reneg example.comJSON Output
Export Results to JSON
sslyze --json example.com > results.jsonPretty-Print JSON
sslyze --json example.com | jq .JSON Output with Timestamp
sslyze --json example.com > "scan_$(date +%Y%m%d_%H%M%S).json"Parse JSON Results
sslyze --json example.com | jq '.server_scan_result'Filter specific vulnerability:
sslyze --json example.com | jq '.server_scan_result.heartbleed'Python API Usage
Basic Library Import
from sslyze import Scanner, ServerNetworkLocation
scanner = Scanner()
server = ServerNetworkLocation("example.com", 443)
results = scanner.scan(server)
print(results)Scan with Specific Tests
from sslyze import Scanner, ServerNetworkLocation
from sslyze.scan_commands import ScanCommand
scanner = Scanner()
server = ServerNetworkLocation("example.com")
# Run specific commands
scan_request = ScanRequest(
server_location=server,
scan_commands={
ScanCommand.CERTIFICATE_INFO,
ScanCommand.CIPHERS,
ScanCommand.PROTOCOLS,
ScanCommand.HEARTBLEED,
}
)
results = scanner.run_scan_in_processes(scan_request, nb_processes=5)Parse Results Programmatically
from sslyze import Scanner, ServerNetworkLocation
scanner = Scanner()
server = ServerNetworkLocation("example.com")
results = scanner.scan(server)
# Check for vulnerabilities
for scan in results.scan_commands_results:
if scan.vulnerable_to_heartbleed:
print("VULNERABLE to Heartbleed!")Custom Timeout Configuration
from sslyze import Scanner, ServerNetworkLocation
import socket
scanner = Scanner(timeout=30) # 30 second timeout
server = ServerNetworkLocation("example.com")
results = scanner.scan(server)CI/CD Integration
GitLab CI Example
ssl_scan:
image: python:3.11
script:
- pip install sslyze
- sslyze --json $CI_SERVER_HOST > results.json
- |
if grep -q '"VULNERABLE"' results.json; then
echo "Vulnerabilities detected!"
exit 1
fi
artifacts:
paths:
- results.jsonGitHub Actions Example
name: SSL/TLS Security Scan
on: [push]
jobs:
sslyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- run: pip install sslyze
- run: sslyze --json example.com > results.json
- run: |
if grep -q '"VULNERABLE"' results.json; then
echo "SSL/TLS vulnerabilities found!"
exit 1
fi
- uses: actions/upload-artifact@v3
with:
name: ssl-scan-results
path: results.jsonJenkins Pipeline Example
pipeline {
agent any
stages {
stage('SSL Scan') {
steps {
sh '''
python -m pip install sslyze
sslyze --json example.com > sslyze_results.json
'''
}
}
stage('Parse Results') {
steps {
sh '''
if grep -q '"VULNERABLE"' sslyze_results.json; then
echo "SSL/TLS vulnerabilities detected!"
exit 1
fi
'''
}
}
}
}Compliance Checks
PCI DSS Compliance
sslyze --protocols --ciphers --certinfo full --heartbleed \
--openssl_ccs --robot --reneg example.comKey checks:
- TLSv1.2 or higher required
- Strong ciphers (grade A or higher)
- Secure renegotiation enabled
- No weak protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)
HIPAA Compliance
sslyze --certinfo full --protocols --ciphers --compression example.comRequirements:
- Valid certificate chain
- TLSv1.2 minimum
- No TLS compression
- Strong encryption algorithms
OWASP Top 10 - Vulnerable Transport
sslyze --protocols --ciphers --heartbleed --robot example.comValidates against insecure TLS configuration vulnerabilities.
Batch Scanning
Scan Multiple Hosts from File
cat hosts.txt | xargs -I {} sslyze --json {} > {}_results.jsonBatch Script with Error Handling
#!/bin/bash
for host in $(cat hosts.txt); do
echo "Scanning $host..."
sslyze --json "$host" > "${host}_results.json" 2>&1 || \
echo "Error scanning $host" >> errors.log
doneParallel Scanning
cat hosts.txt | parallel sslyze --json {} '>' {}_results.jsonTool Comparison
| Feature | SSLyze | SSLScan | Testssl.sh |
|---|---|---|---|
| Language | Python | C/OpenSSL | Bash |
| Speed | Very Fast | Medium | Slower |
| JSON Output | Yes | Limited | Yes |
| Python API | Yes | No | No |
| STARTTLS Support | Yes | Yes | Yes |
| Custom Ciphers | Yes | Yes | Yes |
| Update Frequency | Active | Less Active | Very Active |
| Documentation | Good | Good | Excellent |
| CI/CD Integration | Excellent | Good | Good |
| Resource Usage | Low | Medium | Medium |
| Cross-Platform | Yes | Yes | Yes |
Choose SSLyze for: Fast automated scanning, CI/CD integration, JSON parsing, Python automation.
Choose SSLScan for: Simple CLI scanning, minimal dependencies.
Choose Testssl.sh for: Most comprehensive checks, edge-case coverage, detailed reporting.
Common Use Cases
Quick Vulnerability Check
sslyze --heartbleed --robot --openssl_ccs example.comExport for Reporting
sslyze --json --certinfo full example.com | jq '.' > report.jsonMonitor Certificate Expiration
sslyze --certinfo basic example.com | grep "Not After"Verify TLS 1.3 Support
sslyze --protocols example.com | grep TLSv1.3Check OCSP Stapling
sslyze --stapling example.comAudit Cipher Strength
sslyze --ciphers example.com | grep -i "grade: [D-F]"Tips and Tricks
Suppress Errors for Missing Features
sslyze --openssl_ccs example.com 2>/dev/nullOutput to Syslog
sslyze example.com 2>&1 | logger -t sslyzeStore Results with Metadata
sslyze --json example.com | \
jq --arg date "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
'{timestamp: $date, results: .}' > scan.jsonCreate Scan Report
sslyze --json --certinfo full example.com | \
jq '.[] | {host: .server, protocols: .protocols, ciphers: .ciphers}' \
> host_report.jsonContinuous Compliance Monitoring
#!/bin/bash
hosts=("example.com" "api.example.com" "cdn.example.com")
for host in "${hosts[@]}"; do
sslyze --json "$host" > "/var/log/ssl-scans/${host}_$(date +%Y%m%d).json"
donePerformance Optimization
Increase Worker Processes
sslyze --max_workers 10 example.comDisable IPv6 for Speed
sslyze --no-ipv6 example.comSkip Specific Tests
sslyze --ciphers --protocols example.com(Skipping unnecessary tests speeds up scanning)
Security Considerations
- Rate Limiting: SSLyze respects server limits; reduce workers if getting timeouts
- Network Impact: Multiple concurrent scans can strain network; monitor bandwidth
- Log Sensitive Data: JSON output may contain certificate details; handle securely
- Updates: Keep SSLyze updated for latest vulnerability signatures
- Scanning Permissions: Always obtain authorization before scanning external systems