SSLyze

Description

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. SSLyze is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.

Key features include:

  • Multi-processed and multi-threaded scanning (SSLyze  fast)

  • SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility

  • Performance testing: session resumption and TLS tickets support

  • Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more

  • Server certificate validation and revocation checking through OCSP stapling

  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP and FTP

  • Support for client certificates when scanning servers that perform mutual authentication

  • XML output to further process the scan results

  • And much more !

Usage

SSLyze

Syntax

sslyze [options] target1.com target2.com:443 etc…

Options


  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --xml_out=XML_FILE    Writes the scan results as an XML document to the file
                        XML_FILE.
  --targets_in=TARGETS_IN
                        Reads the list of targets to scan from the file
                        TARGETS_IN. It should contain one host:port per line.
  --timeout=TIMEOUT     Sets the timeout value in seconds used for every
                        socket connection made to the target server(s).
                        Default is 5s.
  --https_tunnel=HTTPS_TUNNEL
                        Sets an HTTP CONNECT proxy to tunnel SSL traffic to
                        the target server(s). HTTP_TUNNEL should be
                        'host:port'. Requires Python 2.7
  --starttls=STARTTLS   Identifies the target server(s) as a SMTP or an XMPP
                        server(s) and scans the server(s) using STARTTLS.
                        STARTTLS should be 'smtp' or 'xmpp'.
  --xmpp_to=XMPP_TO     Optional setting for STARTTLS XMPP.  XMPP_TO should be
                        the hostname to be put in the 'to' attribute of the
                        XMPP stream. Default is the server's hostname.
  --regular             Regular HTTPS scan; shortcut for --sslv2 --sslv3
                        --tlsv1 --reneg --resum --certinfo --http_get
                        --hide_rejected_ciphers --compression --tlsv1_1
                        --tlsv1_2

  Client certificate support:
    --cert=CERT         Client certificate filename.
    --certform=CERTFORM
                        Client certificate format. DER or PEM (default).
    --key=KEY           Client private key filename.
    --keyform=KEYFORM   Client private key format. DER or PEM (default).
    --pass=KEYPASS      Client private key passphrase.

  PluginOpenSSLCipherSuites:
    Scans the target server for supported OpenSSL cipher suites.

    --sslv2             Lists the SSL 2.0 OpenSSL cipher suites supported by
                        the server.
    --sslv3             Lists the SSL 3.0 OpenSSL cipher suites supported by
                        the server.
    --tlsv1             Lists the TLS 1.0 OpenSSL cipher suites supported by
                        the server.
    --tlsv1_1           Lists the TLS 1.1 OpenSSL cipher suites supported by
                        the server.
    --tlsv1_2           Lists the TLS 1.2 OpenSSL cipher suites supported by
                        the server.
    --http_get          Option - For each cipher suite, sends an HTTP GET
                        request after completing the SSL handshake and returns
                        the HTTP status code.
    --hide_rejected_ciphers
                        Option - Hides the (usually long) list of cipher
                        suites that were rejected by the server.

 SSLyze PluginSessionResumption:
    Analyzes the target server's SSL session resumption capabilities.

    --resum             Tests the server for session ressumption support,
                        using session IDs and TLS session tickets (RFC 5077).
    --resum_rate        Performs 100 session resumptions with the target
                        server, in order to estimate the session resumption
                        rate.

 SSLyze PluginCompression:
    --compression       Tests the server for Zlib compression support.

 SSLyze PluginCertInfo:
    --certinfo=CERTINFO
                        Verifies the target server's certificate validity
                        against Mozilla's trusted root store, and prints
                        relevant fields of the certificate. CERTINFO should be
                        'basic' or 'full'.

 SSLyze PluginSessionRenegotiation:
    --reneg             Tests the target server's support for client-initiated
                        renegotiations and secure renegotiations.

Example

cyborg@cyborg:~$ sudo sslyze --regular www.example.com
[sudo] password for cyborg: 



 SSLyze REGISTERING AVAILABLE PLUGINS
 -----------------------------

  PluginOpenSSLCipherSuites
  PluginSessionResumption
  PluginCompression
  PluginCertInfo
  PluginSessionRenegotiation



 SSLyze CHECKING HOST(S) AVAILABILITY
 -----------------------------

   www.example.com:443                 => 93.184.216.34:443



 SSLyze SCAN RESULTS FOR WWW.EXAMPLE.COM:443 - 93.184.216.34:443
 --------------------------------------------------------

  * Session Renegotiation :
      Client-initiated Renegotiations:    Rejected
      Secure Renegotiation:               Supported

  * Certificate :
      Validation w/ Mozilla's CA Store:  Certificate is Trusted             
      Hostname Validation:               OK - Subject Alternative Name Matches
      SHA1 Fingerprint:                  ECAD27F669AEC4FA952F6E584A74D59C8D8A125F

      Common Name:                       www.example.org                    
      Issuer:                            /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
      Serial Number:                     0411DE8F53B462F6A5A861B712EC6B59   
      Not Before:                        Nov  6 00:00:00 2014 GMT           
      Not After:                         Nov 13 12:00:00 2015 GMT           
      Signature Algorithm:               sha256WithRSAEncryption            
      Key Size:                          2048                               
      X509v3 Subject Alternative Name:   DNS:www.example.org, DNS:example.com, DNS:example.edu, DNS:example.net, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net

  * Session Resumption :
      With Session IDs:           Not supported (0 successful, 5 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:   Not Supported - TLS ticket assigned but not accepted.


  * SSLV3 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite: None     

      Accepted Cipher Suite(s): None   

      Unknown Errors: None             

  * TLSV1_1 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite:          
        ECDHE-RSA-RC4-SHA        128 bits      HTTP 200 OK                        

      Accepted Cipher Suite(s):        
        ECDHE-RSA-AES256-SHA     256 bits      HTTP 200 OK                        
        CAMELLIA256-SHA          256 bits      HTTP 200 OK                        
        AES256-SHA               256 bits      HTTP 200 OK                        
        ECDHE-RSA-DES-CBC3-SHA   168 bits      HTTP 200 OK                        
        DES-CBC3-SHA             168 bits      HTTP 200 OK                        
        SEED-SHA                 128 bits      HTTP 200 OK                        
        RC4-SHA                  128 bits      HTTP 200 OK                        
        RC4-MD5                  128 bits      HTTP 200 OK                        
        ECDHE-RSA-RC4-SHA        128 bits      HTTP 200 OK                        
        ECDHE-RSA-AES128-SHA     128 bits      HTTP 200 OK                        
        CAMELLIA128-SHA          128 bits      HTTP 200 OK                        
        AES128-SHA               128 bits      HTTP 200 OK                        

      Unknown Errors: None             

  * TLSV1 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite:          
        ECDHE-RSA-RC4-SHA        128 bits      HTTP 200 OK                        

      Accepted Cipher Suite(s):        
        ECDHE-RSA-AES256-SHA     256 bits      HTTP 200 OK                        
        CAMELLIA256-SHA          256 bits      HTTP 200 OK                        
        AES256-SHA               256 bits      HTTP 200 OK                        
        ECDHE-RSA-DES-CBC3-SHA   168 bits      HTTP 200 OK                        
        DES-CBC3-SHA             168 bits      HTTP 200 OK                        
        SEED-SHA                 128 bits      HTTP 200 OK                        
        RC4-SHA                  128 bits      HTTP 200 OK                        
        RC4-MD5                  128 bits      HTTP 200 OK                        
        ECDHE-RSA-RC4-SHA        128 bits      HTTP 200 OK                        
        ECDHE-RSA-AES128-SHA     128 bits      HTTP 200 OK                        
        CAMELLIA128-SHA          128 bits      HTTP 200 OK                        
        AES128-SHA               128 bits      HTTP 200 OK                        

      Unknown Errors: None             

  * TLSV1_2 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite:          
        ECDHE-RSA-AES128-GCM-SHA256128 bits      HTTP 200 OK                        

      Accepted Cipher Suite(s):        
        ECDHE-RSA-AES256-SHA     256 bits      HTTP 200 OK                        
        CAMELLIA256-SHA          256 bits      HTTP 200 OK                        
        AES256-SHA               256 bits      HTTP 200 OK                        
        ECDHE-RSA-DES-CBC3-SHA   168 bits      HTTP 200 OK                        
        DES-CBC3-SHA             168 bits      HTTP 200 OK                        
        SEED-SHA                 128 bits      HTTP 200 OK                        
        RC4-SHA                  128 bits      HTTP 200 OK                        
        RC4-MD5                  128 bits      HTTP 200 OK                        
        ECDHE-RSA-RC4-SHA        128 bits      HTTP 200 OK                        
        ECDHE-RSA-AES128-SHA256  128 bits      HTTP 200 OK                        
        ECDHE-RSA-AES128-SHA     128 bits      HTTP 200 OK                        
        ECDHE-RSA-AES128-GCM-SHA256128 bits      HTTP 200 OK                        
        CAMELLIA128-SHA          128 bits      HTTP 200 OK                        
        AES128-SHA               128 bits      HTTP 200 OK                        
        AES128-GCM-SHA256        128 bits      HTTP 200 OK                        

      Unknown Errors:                  
        SRP-AES-128-CBC-SHA             socket.timeout - timed out         
        DHE-RSA-AES128-SHA              socket.timeout - timed out         
        DHE-DSS-AES128-GCM-SHA256       socket.timeout - timed out         



 SCAN COMPLETED IN 12.27 S
 -------------------------



		
	
	
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?