Tool Documentation:

sslyze Usage Example

Launch a regular scan type (–regular) against the target host (www.example.com):

root@kali:~# sslyze --regular www.example.com

 REGISTERING AVAILABLE PLUGINS
 -----------------------------

  PluginCompression
  PluginCertInfo
  PluginSessionResumption
  PluginSessionRenegotiation
  PluginOpenSSLCipherSuites



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   www.example.com:443                 => 93.184.216.119:443



 SCAN RESULTS FOR WWW.EXAMPLE.COM:443 - 93.184.216.119:443
 ---------------------------------------------------------

  * Compression :
        Compression Support:      Disabled

  * Certificate :
      Validation w/ Mozilla's CA Store:  Certificate is Trusted


Packages and Binaries:

sslyze

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.

Installed size: 2.18 MB
How to install: sudo apt install sslyze

Dependencies:
  • libjs-sphinxdoc
  • python3
  • python3-cryptography
  • python3-nassl
  • python3-pkg-resources
  • python3-pydantic
  • python3-tls-parser
  • python3-typing-extensions
sslyze
root@kali:~# sslyze -h
usage: sslyze [-h] [--update_trust_stores] [--cert CERTIFICATE_FILE]
              [--key KEY_FILE] [--keyform KEY_FORMAT] [--pass PASSPHRASE]
              [--json_out JSON_FILE] [--targets_in TARGET_FILE] [--quiet]
              [--slow_connection] [--https_tunnel PROXY_SETTINGS]
              [--starttls PROTOCOL] [--xmpp_to HOSTNAME]
              [--sni SERVER_NAME_INDICATION] [--tlsv1] [--heartbleed]
              [--fallback] [--certinfo] [--certinfo_ca_file CERTINFO_CA_FILE]
              [--tlsv1_2] [--http_headers] [--compression] [--early_data]
              [--tlsv1_1] [--openssl_ccs] [--reneg] [--elliptic_curves]
              [--sslv3] [--resum] [--resum_attempts RESUM_ATTEMPTS]
              [--tlsv1_3] [--sslv2] [--robot]
              [--mozilla_config {modern,intermediate,old,disable}]
              [target ...]

SSLyze version 6.0.0

positional arguments:
  target                The list of servers to scan.

options:
  -h, --help            show this help message and exit
  --mozilla_config {modern,intermediate,old,disable}
                        Shortcut to queue various scan commands needed to
                        check the server's TLS configurations against one of
                        Mozilla's recommended TLS configuration. Set to
                        "intermediate" by default. Use "disable" to disable
                        this check.

Trust stores options:
  --update_trust_stores
                        Update the default trust stores used by SSLyze. The
                        latest stores will be downloaded from https://github.c
                        om/nabla-c0d3/trust_stores_observatory. This option is
                        meant to be used separately, and will silence any
                        other command line option supplied to SSLyze.

Client certificate options:
  --cert CERTIFICATE_FILE
                        Client certificate chain filename. The certificates
                        must be in PEM format and must be sorted starting with
                        the subject's client certificate, followed by
                        intermediate CA certificates if applicable.
  --key KEY_FILE        Client private key filename.
  --keyform KEY_FORMAT  Client private key format. DER or PEM (default).
  --pass PASSPHRASE     Client private key passphrase.

Input and output options:
  --json_out JSON_FILE  Write the scan results as a JSON document to the file
                        JSON_FILE. If JSON_FILE is set to '-', the JSON output
                        will instead be printed to stdout. The resulting JSON
                        file is a serialized version of the ScanResult objects
                        described in SSLyze's Python API: the nodes and
                        attributes will be the same. See https://nabla-
                        c0d3.github.io/sslyze/documentation/available-scan-
                        commands.html for more details.
  --targets_in TARGET_FILE
                        Read the list of targets to scan from the file
                        TARGET_FILE. It should contain one host:port per line.
  --quiet               Do not output anything to stdout; useful when using
                        --json_out.

Contectivity options:
  --slow_connection     Greatly reduce the number of concurrent connections
                        initiated by SSLyze. This will make the scans slower
                        but more reliable if the connection between your host
                        and the server is slow, or if the server cannot handle
                        many concurrent connections. Enable this option if you
                        are getting a lot of timeouts or errors.
  --https_tunnel PROXY_SETTINGS
                        Tunnel all traffic to the target server(s) through an
                        HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy's
                        URL: 'http://USER:PW@HOST:PORT/'. For proxies
                        requiring authentication, only Basic Authentication is
                        supported.
  --starttls PROTOCOL   Perform a StartTLS handshake when connecting to the
                        target server(s). StartTLS should be one of: auto,
                        smtp, xmpp, xmpp_server, pop3, imap, ftp, ldap, rdp,
                        postgres. The 'auto' option will cause SSLyze to
                        deduce the protocol (ftp, imap, etc.) from the
                        supplied port number, for each target servers.
  --xmpp_to HOSTNAME    Optional setting for STARTTLS XMPP. XMPP_TO should be
                        the hostname to be put in the 'to' attribute of the
                        XMPP stream. Default is the server's hostname.
  --sni SERVER_NAME_INDICATION
                        Use Server Name Indication to specify the hostname to
                        connect to. Will only affect TLS 1.0+ connections.

Scan commands:
  --tlsv1               Test a server for TLS 1.0 support.
  --heartbleed          Test a server for the OpenSSL Heartbleed
                        vulnerability.
  --fallback            Test a server for the TLS_FALLBACK_SCSV mechanism to
                        prevent downgrade attacks.
  --certinfo            Retrieve and analyze a server's certificate(s) to
                        verify its validity.
  --certinfo_ca_file CERTINFO_CA_FILE
                        To be used with --certinfo. Path to a file containing
                        root certificates in PEM format that will be used to
                        verify the validity of the server's certificate.
  --tlsv1_2             Test a server for TLS 1.2 support.
  --http_headers        Test a server for the presence of security-related
                        HTTP headers.
  --compression         Test a server for TLS compression support, which can
                        be leveraged to perform a CRIME attack.
  --early_data          Test a server for TLS 1.3 early data support.
  --tlsv1_1             Test a server for TLS 1.1 support.
  --openssl_ccs         Test a server for the OpenSSL CCS Injection
                        vulnerability (CVE-2014-0224).
  --reneg               Test a server for for insecure TLS renegotiation and
                        client-initiated renegotiation.
  --elliptic_curves     Test a server for supported elliptic curves.
  --sslv3               Test a server for SSL 3.0 support.
  --resum               Test a server for TLS 1.2 session resumption support
                        using session IDs and TLS tickets.
  --resum_attempts RESUM_ATTEMPTS
                        To be used with --resum. Number of session resumptions
                        (both with Session IDs and TLS Tickets) that SSLyze
                        should attempt. The default value is 5, but a higher
                        value such as 100 can be used to get a more accurate
                        measure of how often session resumption succeeds or
                        fails with the server.
  --tlsv1_3             Test a server for TLS 1.3 support.
  --sslv2               Test a server for SSL 2.0 support.
  --robot               Test a server for the ROBOT vulnerability.

Updated on: 2024-Nov-20