### Install SSLyze from source Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html After cloning the source code, navigate to the directory and install SSLyze locally using pip. ```bash cd sslyze pip install . ``` -------------------------------- ### Setup SSLyze development environment Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Install SSLyze in editable mode and set up development dependencies. This is for developers contributing to the SSLyze project. ```bash pip install --upgrade pip setuptools wheel pip install -e . pip install -r requirements-dev.txt ``` -------------------------------- ### Install or Upgrade pip, setuptools, and wheel Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html Before installing SSLyze, ensure your packaging tools are up-to-date. Run this command in your terminal. ```bash pip install --upgrade pip setuptools wheel ``` -------------------------------- ### Full Example: Running SSLyze Scans Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/running-a-scan-in-python.html A comprehensive example demonstrating the entire process of setting up, running, and processing SSLyze scans for multiple servers, including detailed error handling for connectivity and specific scan command failures. ```python def main() -> None: print("=> Starting the scans") date_scans_started = datetime.now(timezone.utc) # First create the scan requests for each server that we want to scan try: all_scan_requests = [ ServerScanRequest(server_location=ServerNetworkLocation(hostname="cloudflare.com")), ServerScanRequest(server_location=ServerNetworkLocation(hostname="google.com")), ] except ServerHostnameCouldNotBeResolved: # Handle bad input ie. invalid hostnames print("Error resolving the supplied hostnames") return # Then queue all the scans scanner = Scanner() scanner.queue_scans(all_scan_requests) # And retrieve and process the results for each server all_server_scan_results = [] for server_scan_result in scanner.get_results(): all_server_scan_results.append(server_scan_result) print(f"\n\n****Results for {server_scan_result.server_location.hostname}****") # Were we able to connect to the server and run the scan? if server_scan_result.scan_status == ServerScanStatusEnum.ERROR_NO_CONNECTIVITY: # No we weren't print( f"\nError: Could not connect to {server_scan_result.server_location.hostname}:" f" {server_scan_result.connectivity_error_trace}" ) continue # Since we were able to run the scan, scan_result is populated assert server_scan_result.scan_result # Process the result of the SSL 2.0 scan command ssl2_attempt = server_scan_result.scan_result.ssl_2_0_cipher_suites if ssl2_attempt.status == ScanCommandAttemptStatusEnum.ERROR: # An error happened when this scan command was run _print_failed_scan_command_attempt(ssl2_attempt) elif ssl2_attempt.status == ScanCommandAttemptStatusEnum.COMPLETED: # This scan command was run successfully ``` -------------------------------- ### Install SSLyze using pip Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html Install the latest version of SSLyze using pip. This command ensures you have the most recent stable release. ```bash pip install --upgrade sslyze ``` -------------------------------- ### Install SSLyze via pip Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Install or upgrade SSLyze and its dependencies using pip. This is the recommended method for most users on Windows, Linux, and macOS. ```bash pip install --upgrade pip setuptools wheel pip install --upgrade sslyze python -m sslyze www.yahoo.com www.google.com "[2607:f8b0:400a:807::2004]:443" ``` -------------------------------- ### Run SSLyze using Docker Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Execute SSLyze using a Docker container. This is useful for consistent environments and quick testing without local installation. ```bash docker run --rm -it nablac0d3/sslyze:6.1.0 www.google.com ``` -------------------------------- ### Full sslyze Scan Example in Python Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md This snippet shows how to create scan requests for multiple servers, queue them for scanning, retrieve and process the results, and save them to a JSON file. It includes handling connectivity errors and parsing results for SSL 2.0, TLS 1.3, and certificate information. ```python def main() -> None: print("=> Starting the scans") date_scans_started = datetime.now(timezone.utc) # First create the scan requests for each server that we want to scan try: all_scan_requests = [ ServerScanRequest(server_location=ServerNetworkLocation(hostname="cloudflare.com")), ServerScanRequest(server_location=ServerNetworkLocation(hostname="google.com")), ] except ServerHostnameCouldNotBeResolved: # Handle bad input ie. invalid hostnames print("Error resolving the supplied hostnames") return # Then queue all the scans scanner = Scanner() scanner.queue_scans(all_scan_requests) # And retrieve and process the results for each server all_server_scan_results = [] for server_scan_result in scanner.get_results(): all_server_scan_results.append(server_scan_result) print(f"\n\n****Results for {server_scan_result.server_location.hostname}****") # Were we able to connect to the server and run the scan? if server_scan_result.scan_status == ServerScanStatusEnum.ERROR_NO_CONNECTIVITY: # No we weren't print( f"\nError: Could not connect to {server_scan_result.server_location.hostname}:" f" {server_scan_result.connectivity_error_trace}" ) continue # Since we were able to run the scan, scan_result is populated assert server_scan_result.scan_result # Process the result of the SSL 2.0 scan command ssl2_attempt = server_scan_result.scan_result.ssl_2_0_cipher_suites if ssl2_attempt.status == ScanCommandAttemptStatusEnum.ERROR: # An error happened when this scan command was run _print_failed_scan_command_attempt(ssl2_attempt) elif ssl2_attempt.status == ScanCommandAttemptStatusEnum.COMPLETED: # This scan command was run successfully ssl2_result = ssl2_attempt.result assert ssl2_result print("\nAccepted cipher suites for SSL 2.0:") for accepted_cipher_suite in ssl2_result.accepted_cipher_suites: print(f"* {accepted_cipher_suite.cipher_suite.name}") # Process the result of the TLS 1.3 scan command tls1_3_attempt = server_scan_result.scan_result.tls_1_3_cipher_suites if tls1_3_attempt.status == ScanCommandAttemptStatusEnum.ERROR: _print_failed_scan_command_attempt(ssl2_attempt) elif tls1_3_attempt.status == ScanCommandAttemptStatusEnum.COMPLETED: tls1_3_result = tls1_3_attempt.result assert tls1_3_result print("\nAccepted cipher suites for TLS 1.3:") for accepted_cipher_suite in tls1_3_result.accepted_cipher_suites: print(f"* {accepted_cipher_suite.cipher_suite.name}") # Process the result of the certificate info scan command certinfo_attempt = server_scan_result.scan_result.certificate_info if certinfo_attempt.status == ScanCommandAttemptStatusEnum.ERROR: _print_failed_scan_command_attempt(certinfo_attempt) elif certinfo_attempt.status == ScanCommandAttemptStatusEnum.COMPLETED: certinfo_result = certinfo_attempt.result assert certinfo_result print("\nLeaf certificates deployed:") for cert_deployment in certinfo_result.certificate_deployments: leaf_cert = cert_deployment.received_certificate_chain[0] print( f"{leaf_cert.public_key().__class__.__name__}: {leaf_cert.subject.rfc4514_string()}" f" (Serial: {leaf_cert.serial_number})" ) # etc... Other scan command results to process are in server_scan_result.scan_result # Lastly, save the all the results to a JSON file json_file_out = Path("api_sample_results.json") print(f"\n\n=> Saving scan results to {json_file_out}") example_json_result_output(json_file_out, all_server_scan_results, date_scans_started, datetime.now(timezone.utc)) # And ensure we are able to parse them print(f"\n\n=> Parsing scan results from {json_file_out}") example_json_result_parsing(json_file_out) ``` -------------------------------- ### Run SSLyze tests Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Execute the test suite for SSLyze using the 'invoke' task runner. This is part of the development setup to ensure code quality. ```bash invoke test ``` -------------------------------- ### StartTLS, SNI, etc. Settings Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/running-a-scan-in-python.html Demonstrates how to configure additional settings for scans, such as StartTLS and SNI. This is useful for testing servers that require specific connection parameters. ```python from sslyze.connection_helpers.opportunistic_tls_helpers import ProtocolWithOpportunisticTlsEnum ``` -------------------------------- ### Run SSLyze Docker image with help flag Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html This command shows the default behavior of the SSLyze Docker image, which is to display help information. ```bash docker run --rm -it nablac0d3/sslyze:|version| ``` -------------------------------- ### Initialize and Queue Scans Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Instantiate the Scanner class and pass a list of server scan requests to begin the scanning process. The Scanner manages concurrent execution. ```python scanner = Scanner() scanner.queue_scans(all_scan_requests) ``` -------------------------------- ### Check server compliance with Mozilla's modern TLS configuration Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Run SSLyze to check a server against Mozilla's 'modern' TLS configuration. This command allows specifying a different configuration profile. ```bash python -m sslyze --mozilla_config=modern mozilla.com ``` -------------------------------- ### Check server compliance with a custom TLS configuration Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Run SSLyze to check a server against a custom TLS configuration defined in a JSON file. This provides flexibility for specific security requirements. ```bash python -m sslyze --custom_tls_config custom_tls_config_example.json mozilla.com ``` -------------------------------- ### Run SSLyze Docker image for a specific target Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html Execute SSLyze within a Docker container to scan a target. Replace '|version|' with the desired tag. ```bash docker run --rm -it nablac0d3/sslyze --regular www.github.com:443 ``` -------------------------------- ### Check server compliance with Mozilla's intermediate TLS configuration Source: https://github.com/nabla-c0d3/sslyze/blob/release/README.md Run SSLyze to check a server against Mozilla's recommended 'intermediate' TLS configuration. The tool returns a non-zero exit code if the server is not compliant. ```bash python -m sslyze mozilla.com ``` -------------------------------- ### Create Server Scan Requests Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/running-a-scan-in-python.html Instantiate ServerScanRequest objects to define the servers and parameters for scans. Handles potential hostname resolution errors. ```python all_scan_requests = [ ServerScanRequest(server_location=ServerNetworkLocation(hostname="cloudflare.com")), ServerScanRequest(server_location=ServerNetworkLocation(hostname="google.com")), ] ``` -------------------------------- ### Clone SSLyze source code from GitHub Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html Obtain the latest development version of SSLyze by cloning its public repository from GitHub. ```bash git clone git://github.com/nabla-c0d3/sslyze.git ``` -------------------------------- ### Create an alias for the SSLyze Docker command Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/installation.html Add this alias to your shell's rc file to simplify running the SSLyze Docker image. After sourcing the file, you can use 'sslyze' directly. ```bash alias 'sslyze'='docker run --rm -it nablac0d3/sslyze' source ~/.bashrc sslyze ``` -------------------------------- ### Process Scan Results in Python Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/running-a-scan-in-python.html This snippet demonstrates how to process results from different scan commands (SSL 2.0, TLS 1.3, Certificate Info) after a server scan is completed. It checks the status of each scan command and prints relevant information if the scan was successful. ```python ssl2_result = ssl2_attempt.result assert ssl2_result print("\nAccepted cipher suites for SSL 2.0:") for accepted_cipher_suite in ssl2_result.accepted_cipher_suites: print(f"* {accepted_cipher_suite.cipher_suite.name}") # Process the result of the TLS 1.3 scan command tls1_3_attempt = server_scan_result.scan_result.tls_1_3_cipher_suites if tls1_3_attempt.status == ScanCommandAttemptStatusEnum.ERROR: _print_failed_scan_command_attempt(ssl2_attempt) elif tls1_3_attempt.status == ScanCommandAttemptStatusEnum.COMPLETED: tls1_3_result = tls1_3_attempt.result assert tls1_3_result print("\nAccepted cipher suites for TLS 1.3:") for accepted_cipher_suite in tls1_3_result.accepted_cipher_suites: print(f"* {accepted_cipher_suite.cipher_suite.name}") # Process the result of the certificate info scan command certinfo_attempt = server_scan_result.scan_result.certificate_info if certinfo_attempt.status == ScanCommandAttemptStatusEnum.ERROR: _print_failed_scan_command_attempt(certinfo_attempt) elif certinfo_attempt.status == ScanCommandAttemptStatusEnum.COMPLETED: certinfo_result = certinfo_attempt.result assert certinfo_result print("\nLeaf certificates deployed:") for cert_deployment in certinfo_result.certificate_deployments: leaf_cert = cert_deployment.received_certificate_chain[0] print( f"{leaf_cert.public_key().__class__.__name__}: {leaf_cert.subject.rfc4514_string()}" f" (Serial: {leaf_cert.serial_number})" ) # etc... Other scan command results to process are in server_scan_result.scan_result ``` -------------------------------- ### Supported Elliptic Curves Scanning Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/available-scan-commands.md Tests a server for supported elliptic curves. This command identifies if the server supports ECDH key exchange and lists the accepted and rejected elliptic curves. ```APIDOC ## ScanCommand.ELLIPTIC_CURVES ### Description Tests a server for supported elliptic curves. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **supports_ecdh_key_exchange** (bool) - True if the server supports at least one cipher suite with an ECDH key exchange. - **supported_curves** (List[[sslyze.EllipticCurve](#sslyze.EllipticCurve)] | None) - A list of EllipticCurve that were accepted by the server or None if the server does not support ECDH cipher suites. - **rejected_curves** (List[[sslyze.EllipticCurve](#sslyze.EllipticCurve)] | None) - A list of EllipticCurve that were rejected by the server or None if the server does not support ECDH cipher suites. #### Response Example N/A ``` -------------------------------- ### ServerNetworkLocation Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Contains all the information needed to connect to a server, including hostname, port, IP address, and proxy settings. ```APIDOC ## class sslyze.ServerNetworkLocation ### Description All the information needed to connect to a server. ### Parameters * **hostname** (str) - The server’s hostname. * **port** (int, optional) - The server’s TLS port number. Defaults to 443. * **ip_address** (str | None, optional) - The server’s IP address; only set if sslyze is connecting directly to the server. If no IP address is supplied and connection_type is set to DIRECT, sslyze will automatically lookup one IP address for the supplied hostname. * **http_proxy_settings** ([HttpProxySettings](#sslyze.HttpProxySettings) | None, optional) - The HTTP proxy configuration to use in order to tunnel the scans through a proxy; only set if sslyze is connecting to the server via an HTTP proxy. The proxy will be responsible for looking up the server’s IP address and connecting to it. ### Attributes * **connection_type** - How sslyze should connect to the server: either directly, or via an HTTP proxy. ``` -------------------------------- ### ScanCommand.SESSION_RENEGOTIATION Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/available-scan-commands.md Tests a server for insecure TLS renegotiation and client-initiated renegotiation. The result indicates if secure renegotiation is supported and if the server is vulnerable to client-initiated DoS attacks. ```APIDOC ## Insecure Renegotiation **ScanCommand.SESSION_RENEGOTIATION**: Test a server for insecure TLS renegotiation and client-initiated renegotiation. ### Result class ### *class* sslyze.SessionRenegotiationScanResult(supports_secure_renegotiation: bool, is_vulnerable_to_client_renegotiation_dos: bool, client_renegotiations_success_count: int) The result of testing a server for insecure TLS renegotiation and client-initiated renegotiation. #### accepts_client_renegotiation True if the server honors client-initiated renegotiation attempts. #### supports_secure_renegotiation True if the server supports secure renegotiation. * **Type:** bool #### client_renegotiations_success_count the number of successful client-initiated renegotiation attempts. * **Type:** int ``` -------------------------------- ### Define Server Scan Requests Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Create a list of ServerScanRequest objects to specify the servers and their network locations for scanning. Handles potential errors if hostnames cannot be resolved. ```python try: all_scan_requests = [ ServerScanRequest(server_location=ServerNetworkLocation(hostname="cloudflare.com")), ServerScanRequest(server_location=ServerNetworkLocation(hostname="google.com")), ] except ServerHostnameCouldNotBeResolved: # Handle bad input ie. invalid hostnames print("Error resolving the supplied hostnames") return ``` -------------------------------- ### ServerNetworkConfiguration Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Provides additional network settings for fine-grained control over server connections, including TLS settings, client authentication, and network timeouts. ```APIDOC ## class sslyze.ServerNetworkConfiguration ### Description Additional network settings to provide fine-grained control on how to connect to a specific server. ### Parameters * **tls_server_name_indication** (str) - The hostname to set within the Server Name Indication TLS extension. * **tls_opportunistic_encryption** ([ProtocolWithOpportunisticTlsEnum](#sslyze.ProtocolWithOpportunisticTlsEnum) | None, optional) - The protocol wrapped in TLS that the server expects. It allows SSLyze to figure out how to establish a (Start)TLS connection to the server and what kind of “hello” message (SMTP, XMPP, etc.) to send to the server after the handshake was completed. If not supplied, standard TLS will be used. * **tls_client_auth_credentials** ([ClientAuthenticationCredentials](#sslyze.ClientAuthenticationCredentials) | None, optional) - The client certificate and private key needed to perform mutual authentication with the server. If not supplied, SSLyze will attempt to connect to the server without performing client authentication. * **xmpp_to_hostname** (str | None, optional) - The hostname to set within the to attribute of the XMPP stream. If not supplied, the server’s hostname will be used. Should only be set if the supplied tls_opportunistic_encryption is an XMPP protocol. * **smtp_ehlo_hostname** (str | None, optional) - The hostname to set in the SMTP EHLO. If not supplied, the default of “sslyze.scan” will be used. Should only be set if the supplied tls_opportunistic_encryption is SMTP. * **http_user_agent** (str | None, optional) - The User-Agent to send in HTTP requests. If not supplied, a default Chrome-like is used that includes SSLyze’s version. * **network_timeout** (int, optional) - The timeout (in seconds) to be used when attempting to establish a connection to the server. Defaults to 5. * **network_max_retries** (int, optional) - The number of retries SSLyze will perform when attempting to establish a connection to the server. Defaults to 3. ``` -------------------------------- ### TLS Compression Scan (CRIME) Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for TLS compression support, which can be leveraged to perform a CRIME attack. ```APIDOC ## ScanCommand.TLS_COMPRESSION ### Description Tests a server for TLS compression support, which can be leveraged to perform a CRIME attack. ### Method Not applicable (this describes a scan command within the SSLyze library). ### Endpoint Not applicable. ### Parameters None explicitly documented for this scan command. ### Response Details on the response for this scan command are not provided in the source text. ``` -------------------------------- ### ProtocolWithOpportunisticTlsEnum Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Enumeration of plaintext protocols supported by SSLyze for opportunistic TLS upgrade (STARTTLS). ```APIDOC ## class sslyze.ProtocolWithOpportunisticTlsEnum ### Description The list of plaintext protocols supported by SSLyze for opportunistic TLS upgrade (such as STARTTLS). This allows SSLyze to figure out how to complete an SSL/TLS handshake with the server. ### Members * **SMTP** = 'SMTP' * **XMPP** = 'XMPP' * **XMPP_SERVER** = 'XMPP_SERVER' ``` -------------------------------- ### Export Scan Results to JSON using CLI Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/json-output.md Use the --json_out option with the sslyze command to save scan results to a JSON file. ```bash $ python -m sslyze www.google.com www.facebook.com --json_out=result.json ``` -------------------------------- ### SSL 2.0 Cipher Suites Scan Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for SSL 2.0 cipher suite support. ```APIDOC ## ScanCommand.SSL_2_0_CIPHER_SUITES ### Description Tests a server for SSL 2.0 support. ### Method N/A (This is a command identifier, not an HTTP endpoint) ### Endpoint N/A ``` -------------------------------- ### SSL 3.0 Cipher Suites Scan Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for SSL 3.0 cipher suite support. ```APIDOC ## ScanCommand.SSL_3_0_CIPHER_SUITES ### Description Tests a server for SSL 3.0 support. ### Method N/A (This is a command identifier, not an HTTP endpoint) ### Endpoint N/A ``` -------------------------------- ### TLS 1.2 Cipher Suites Scan Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for TLS 1.2 cipher suite support. ```APIDOC ## ScanCommand.TLS_1_2_CIPHER_SUITES ### Description Tests a server for TLS 1.2 support. ### Method N/A (This is a command identifier, not an HTTP endpoint) ### Endpoint N/A ``` -------------------------------- ### ClientAuthenticationCredentials Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Represents the credentials needed for client SSL/TLS authentication. This includes the certificate chain, private key, and optional key password and type. ```APIDOC ## class sslyze.ClientAuthenticationCredentials Represents everything needed by a client to perform SSL/TLS client authentication with the server. ### Parameters - **certificate_chain_path** (pathlib.Path) - Required - Path to the file containing the client’s certificate. - **key_path** (pathlib.Path) - Required - Path to the file containing the client’s private key. - **key_password** (str) - Optional - The password to decrypt the private key. - **key_type** (sslyze.OpenSslFileTypeEnum) - Optional - The format of the key file. Defaults to OpenSslFileTypeEnum.PEM. ``` -------------------------------- ### CertificateDeploymentAnalysisResult Attributes Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html This section details the attributes available within the CertificateDeploymentAnalysisResult class, providing insights into the server's certificate chain and OCSP response. ```APIDOC ## CertificateDeploymentAnalysisResult ### Description Provides detailed results of the certificate chain analysis, including order, trust, and signature information, as well as OCSP response details. ### Attributes - **received_chain_has_valid_order** (`Optional[bool]`): `True` if the certificate chain returned by the server was sent in the right order. `None` if any of the certificates in the chain could not be parsed. - **received_chain_contains_anchor_certificate** (`Optional[bool]`): `True` if the server included the anchor/root certificate in the chain it sends back to clients. `None` if the verified chain could not be built. - **verified_chain_has_sha1_signature** (`Optional[bool]`): `True` if any of the leaf or intermediate certificates are signed using the SHA-1 algorithm. `None` if the verified chain could not be built. - **verified_chain_has_legacy_symantec_anchor** (`Optional[bool]`): `True` if the certificate chain contains a distrusted Symantec anchor. `None` if the verified chain could not be built. - **ocsp_response** (`Optional[OCSPResponse]`): The OCSP response returned by the server. `None` if no response was sent by the server or if the scan was run through an HTTP proxy. This is an `OCSPResponse` object parsed using the cryptography module. - **ocsp_response_is_trusted** (`Optional[bool]`): `True` if the OCSP response is trusted using the Mozilla trust store. `None` if no OCSP response was sent by the server. ### Related Classes #### PathValidationResult - **trust_store** (`TrustStore`): The trust store used for validation. - **verified_certificate_chain** (`Optional[List[Certificate]]`): The verified certificate chain returned by OpenSSL. Will be `None` if the validation failed or the verified chain could not be built. Each certificate is parsed using the cryptography module. - **validation_error** (`Optional[str]`): The error returned by the cryptography module’s validation function; `None` if validation was successful. - **was_validation_successful** (`bool`): Whether the certificate chain is trusted when using the supplied trust stores. ``` -------------------------------- ### ScanCommand.HTTP_HEADERS Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/available-scan-commands.md Tests a server for the presence of security-related HTTP headers. The result includes details about the request sent, any errors, redirection, and specific headers like Strict-Transport-Security. ```APIDOC ## HTTP Security Headers **ScanCommand.HTTP_HEADERS**: Test a server for the presence of security-related HTTP headers. ### Result class ### *class* sslyze.HttpHeadersScanResult(http_request_sent: str, http_error_trace: TracebackException | None, http_path_redirected_to: str | None, strict_transport_security_header: [StrictTransportSecurityHeader](#sslyze.StrictTransportSecurityHeader) | None) The result of testing a server for the presence of security-related HTTP headers. Each HTTP header described below will be `None` if the server did not return a valid HTTP response, or if the server returned an HTTP response without the HTTP header. #### http_request_sent The initial HTTP request sent to the server by SSLyze. * **Type:** str #### http_error_trace An error the server returned after receiving the initial HTTP request. If this field is set, all the subsequent fields will be `None` as SSLyze did not receive a valid HTTP response from the server. * **Type:** traceback.TracebackException | None #### http_path_redirected_to The path SSLyze was eventually redirected to after sending the initial HTTP request. * **Type:** str | None #### strict_transport_security_header The Strict-Transport-Security header returned by the server. * **Type:** [sslyze.plugins.http_headers_plugin.StrictTransportSecurityHeader](#sslyze.StrictTransportSecurityHeader) | None ### *class* sslyze.StrictTransportSecurityHeader(max_age: int | None, preload: bool, include_subdomains: bool) A Strict-Transport-Security header parsed from a server’s HTTP response. #### preload `True` if the preload directive is set. * **Type:** bool #### include_subdomains `True` if the includesubdomains directive is set. * **Type:** bool #### max_age The content of the max-age field. * **Type:** int | None ``` -------------------------------- ### TLS 1.3 Cipher Suites Scan Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for TLS 1.3 cipher suite support. ```APIDOC ## ScanCommand.TLS_1_3_CIPHER_SUITES ### Description Tests a server for TLS 1.3 support. ### Method N/A (This is a command identifier, not an HTTP endpoint) ### Endpoint N/A ``` -------------------------------- ### TLS 1.1 Cipher Suites Scan Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for TLS 1.1 cipher suite support. ```APIDOC ## ScanCommand.TLS_1_1_CIPHER_SUITES ### Description Tests a server for TLS 1.1 support. ### Method N/A (This is a command identifier, not an HTTP endpoint) ### Endpoint N/A ``` -------------------------------- ### TLS 1.0 Cipher Suites Scan Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/available-scan-commands.html Tests a server for TLS 1.0 cipher suite support. ```APIDOC ## ScanCommand.TLS_1_0_CIPHER_SUITES ### Description Tests a server for TLS 1.0 support. ### Method N/A (This is a command identifier, not an HTTP endpoint) ### Endpoint N/A ``` -------------------------------- ### SSL/TLS Cipher Suites Scanning Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/available-scan-commands.md Tests a server for supported cipher suites across different SSL/TLS versions. This command helps identify which cipher suites are accepted or rejected by the server for each protocol version. ```APIDOC ## ScanCommand.SSL_2_0_CIPHER_SUITES ### Description Tests a server for SSL 2.0 cipher suite support. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **tls_version_used** ([sslyze.TlsVersionEnum](#sslyze.TlsVersionEnum)) - The SSL/TLS version used to connect to the server. - **accepted_cipher_suites** (List[[sslyze.CipherSuiteAcceptedByServer](#sslyze.CipherSuiteAcceptedByServer)]) - The list of cipher suites supported by both SSLyze and the server. - **rejected_cipher_suites** (List[[sslyze.CipherSuiteRejectedByServer](#sslyze.CipherSuiteRejectedByServer)]) - The list of cipher suites supported by SSLyze that were rejected by the server. #### Response Example N/A ## ScanCommand.SSL_3_0_CIPHER_SUITES ### Description Tests a server for SSL 3.0 cipher suite support. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **tls_version_used** ([sslyze.TlsVersionEnum](#sslyze.TlsVersionEnum)) - The SSL/TLS version used to connect to the server. - **accepted_cipher_suites** (List[[sslyze.CipherSuiteAcceptedByServer](#sslyze.CipherSuiteAcceptedByServer)]) - The list of cipher suites supported by both SSLyze and the server. - **rejected_cipher_suites** (List[[sslyze.CipherSuiteRejectedByServer](#sslyze.CipherSuiteRejectedByServer)]) - The list of cipher suites supported by SSLyze that were rejected by the server. #### Response Example N/A ## ScanCommand.TLS_1_0_CIPHER_SUITES ### Description Tests a server for TLS 1.0 cipher suite support. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **tls_version_used** ([sslyze.TlsVersionEnum](#sslyze.TlsVersionEnum)) - The SSL/TLS version used to connect to the server. - **accepted_cipher_suites** (List[[sslyze.CipherSuiteAcceptedByServer](#sslyze.CipherSuiteAcceptedByServer)]) - The list of cipher suites supported by both SSLyze and the server. - **rejected_cipher_suites** (List[[sslyze.CipherSuiteRejectedByServer](#sslyze.CipherSuiteRejectedByServer)]) - The list of cipher suites supported by SSLyze that were rejected by the server. #### Response Example N/A ## ScanCommand.TLS_1_1_CIPHER_SUITES ### Description Tests a server for TLS 1.1 cipher suite support. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **tls_version_used** ([sslyze.TlsVersionEnum](#sslyze.TlsVersionEnum)) - The SSL/TLS version used to connect to the server. - **accepted_cipher_suites** (List[[sslyze.CipherSuiteAcceptedByServer](#sslyze.CipherSuiteAcceptedByServer)]) - The list of cipher suites supported by both SSLyze and the server. - **rejected_cipher_suites** (List[[sslyze.CipherSuiteRejectedByServer](#sslyze.CipherSuiteRejectedByServer)]) - The list of cipher suites supported by SSLyze that were rejected by the server. #### Response Example N/A ## ScanCommand.TLS_1_2_CIPHER_SUITES ### Description Tests a server for TLS 1.2 cipher suite support. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **tls_version_used** ([sslyze.TlsVersionEnum](#sslyze.TlsVersionEnum)) - The SSL/TLS version used to connect to the server. - **accepted_cipher_suites** (List[[sslyze.CipherSuiteAcceptedByServer](#sslyze.CipherSuiteAcceptedByServer)]) - The list of cipher suites supported by both SSLyze and the server. - **rejected_cipher_suites** (List[[sslyze.CipherSuiteRejectedByServer](#sslyze.CipherSuiteRejectedByServer)]) - The list of cipher suites supported by SSLyze that were rejected by the server. #### Response Example N/A ## ScanCommand.TLS_1_3_CIPHER_SUITES ### Description Tests a server for TLS 1.3 cipher suite support. ### Method N/A (Command) ### Endpoint N/A (Command) ### Parameters N/A ### Request Example N/A ### Response #### Success Response - **tls_version_used** ([sslyze.TlsVersionEnum](#sslyze.TlsVersionEnum)) - The SSL/TLS version used to connect to the server. - **accepted_cipher_suites** (List[[sslyze.CipherSuiteAcceptedByServer](#sslyze.CipherSuiteAcceptedByServer)]) - The list of cipher suites supported by both SSLyze and the server. - **rejected_cipher_suites** (List[[sslyze.CipherSuiteRejectedByServer](#sslyze.CipherSuiteRejectedByServer)]) - The list of cipher suites supported by SSLyze that were rejected by the server. #### Response Example N/A ``` -------------------------------- ### ScanCommand.TLS_EXTENDED_MASTER_SECRET Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/available-scan-commands.md Tests a server for TLS Extended Master Secret extension support. The result indicates if the server supports this extension. ```APIDOC ## Extended Master Secret **ScanCommand.TLS_EXTENDED_MASTER_SECRET**: Test a server for TLS Extended Master Secret extension support. ### Result class ### *class* sslyze.EmsExtensionScanResult(supports_ems_extension: bool) The result of testing a server for TLS Extended Master Secret extension support. #### supports_ems_extension True if the server supports the TLS Extended Master Secret extension. * **Type:** bool ``` -------------------------------- ### ServerConnectivityStatusEnum Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/running-a-scan-in-python.html An enumeration representing the possible statuses of a server connection attempt. ```APIDOC ## Enum: ServerConnectivityStatusEnum ### Description Represents the possible statuses of a server connection attempt. ``` -------------------------------- ### OpenSslFileTypeEnum Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/documentation/running-a-scan-in-python.html An enumeration representing the format constants for certificate and private key files, mapping to OpenSSL's SSL_FILETYPE_XXX constants. ```APIDOC ## Enum: OpenSslFileTypeEnum ### Description Certificate and private key format constants which map to the SSL_FILETYPE_XXX OpenSSL constants. ### Members * **PEM** = 1 * **ASN1** = 2 ``` -------------------------------- ### ServerScanRequest Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Represents a request to scan a specific server. It includes server location, optional network configuration, scan commands, and extra arguments for those commands. ```APIDOC ## class sslyze.ServerScanRequest ### Description A request to scan a specific server. ### Parameters * **server_location** ([ServerNetworkLocation](#sslyze.ServerNetworkLocation)) - The server to scan. * **network_configuration** ([ServerNetworkConfiguration](#sslyze.ServerNetworkConfiguration), optional) - An optional network configuration. If not supplied, a default configuration will be used. * **scan_commands** (Set[[ScanCommand](available-scan-commands.md#sslyze.ScanCommand)], optional) - An optional list of scan commands to run against the server. If not supplied, all available scan commands will be run. * **scan_commands_extra_arguments** ([ScanCommandsExtraArguments](#sslyze.ScanCommandsExtraArguments), optional) - An optional list of extra arguments specific to some scan commands. If not supplied, no extra arguments will be set. * **uuid** (UUID, optional) - Factory default. ``` -------------------------------- ### ProtocolWithOpportunisticTlsEnum Source: https://github.com/nabla-c0d3/sslyze/blob/release/docs/running-a-scan-in-python.md Enumeration of protocols that support opportunistic TLS, with a method to retrieve the protocol by its default port. ```APIDOC ### *classmethod* from_default_port(port: int) -> ProtocolWithOpportunisticTlsEnum | None Given a port number, return the protocol that uses this port number by default. ### Parameters - **port** (int) - The port number to check. ### Returns - **ProtocolWithOpportunisticTlsEnum | None** - The protocol associated with the default port, or None if no protocol matches. ```