-
Notifications
You must be signed in to change notification settings - Fork 95
Home
Supported platforms are Windows 7, Linux and OS X Mountain Lion, both 32 and 64 bits. SSLyze requires Python 2.6 or 2.7 and OpenSSL 0.9.8+.
Linux and OS X Mountain Lion users should download the source package available in the Downloads section of the project.
For Windows, specific packages that include the OpenSSL DLLs are available in the Downloads section of the project. There is one package for Python 32 bits, and one for Python 64 bits.
Other platforms are not officially supported yet, but SSLyze might work anyway.
The following command line should be used:
$ python sslyze.py [options] www.target1.com www.target2.com:443
Several command line options are available detailed below.
$ python sslyze.py --regular www.target1.com
This is what you'll want to use most of the time. It performs a regular HTTP scan and is a shortcut for:
--sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 --compression --reneg --resum --certinfo=basic --hide_rejected_ciphers --http_get
If --regular
is too intense for the server, try running each command separately.
-
--xml_out=XML_FILE
: Writes the scan results as an XML document to the file XML_FILE. -
--targets_in=TARGETS_IN
: Reads the list of targets to scan from the text file TARGETS_IN. It should contain one host:port per line. -
--https_tunnel=HTTPS_TUNNEL
: Sets an HTTP CONNECT proxy to tunnel SSL traffic to the target server(s). HTTP_TUNNEL should behost:port
. Requires Python 2.7 -
--timeout=TIMEOUT
: Sets the timeout value in seconds used for every socket connection made to the target server(s). Default value is 5s, but should be increased if the network is slow.
-
--sslv2 --sslv3 --tlsv1
: Lists the SSL 2.0, 3.0 and TLS 1.0 OpenSSL cipher suites supported by the server. -
--tlsv1_1 --tlsv1_2}
: Lists the TLS 1.1 and 1.2 OpenSSL cipher suites supported by the server. Requires OpenSSL 1.0.1 or later. -
--http_get
: Option - For each cipher suite, sends an HTTP GET request after completing the SSL handshake and returns the HTTP status code. -
--hide_rejected_ciphers
: Option - Hides the (usually long) list of cipher suites that were rejected by the server.
-
--reneg
: Checks whether the server is vulnerable to insecure renegotiation. Requires OpenSSL 0.9.8m or later.
-
--resum
: Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077). -
--resum_rate
: Estimates the average rate of successful session resumptions by performing 100 ID-based session resumptions.
-
--certinfo=basic
: Verifies the server's certificate validity against Mozilla's trusted root store, and prints relevant fields of the certificate. -
--certinfo=full
: Verifies the server's certificate validity against Mozilla's trusted root store, and prints the full certificate.
-
--starttls=STARTTLS
: Identifies the target server(s) as a SMTP or an XMPP server(s) and scans the server(s) using StartTLS. STARTTLS should besmtp
orxmpp
. -
--xmpp_to
: Optional setting for STARTTLS XMPP. XMPP_TO should be the hostname to be put in the 'to' attribute of the XMPP stream. Default is the server's hostname.
Configures SSlyze to use a client certificate in case the server performs mutual authentication. The following options are required:
-
--cert=CERT
: Client certificate filename. -
--certform=CERTFORM
: Client certificate format. DER or PEM (default). -
--key=KEY
: Client private key filename. -
--keyform=KEYFORM
: Client private key format. DER or PEM (default). -
--pass=KEYPASS
: Client private key passphrase.