### Start New Assessment Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md Initiates a new SSL Labs assessment for a given host. ```APIDOC ## POST /analyze ### Description Initiates a new SSL Labs assessment for a given host. Use the `startNew` parameter set to `on` to begin a fresh assessment. ### Method POST ### Endpoint `/analyze` ### Parameters #### Query Parameters - **host** (string) - Required - The hostname to analyze. - **startNew** (string) - Required - Set to `on` to start a new assessment. - **all** (string) - Optional - Set to `done` to indicate all necessary parameters are provided. - **fromCache** (string) - Optional - Set to `on` to retrieve data from cache if available. - **maxAge** (integer) - Optional - Maximum age of cached report in hours. If not set, IP address is not forwarded to the tested server. ### Request Example ``` POST /analyze?host=example.com&startNew=on&all=done ``` ### Response #### Success Response (200) - **Assessment status** - Information about the ongoing or cached assessment. #### Response Example (Response body contains assessment status details) ``` -------------------------------- ### Perform SSL/TLS Scan via CLI (Bash) Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Provides command-line examples for scanning single domains and multiple domains using the ssllabs-scan-v4 tool. It demonstrates options for initiating new scans, using cached results, setting cache age, ignoring certificate mismatches, and specifying input from a host file. Also includes a `curl` example for direct API interaction. ```bash # Scan a single domain with new assessment ./ssllabs-scan-v4 \ --email johndoe@example.com \ www.example.com # Scan with cached results ./ssllabs-scan-v4 \ --email johndoe@example.com \ --usecache \ --maxage 24 \ www.example.com # Start new assessment ignoring certificate mismatch curl --location 'https://api.ssllabs.com/api/v4/analyze?host=www.example.com&startNew=on&ignoreMismatch=on' \ --header 'email: johndoe@example.com' # Response includes: # { # "host": "www.example.com", # "port": 443, # "protocol": "http", # "status": "READY", # "endpoints": [ # { # "ipAddress": "93.184.216.34", # "grade": "A", # "gradeTrustIgnored": "A", # "hasWarnings": false, # "statusMessage": "Ready" # } # ] # } ``` ```bash # Create a hostfile with domains to scan cat > hosts.txt < results.json # Flattened JSON output ./ssllabs-scan-v4 \ --email johndoe@example.com \ --json-flat \ www.example.com # Output: "host": "www.example.com" "port": 443 "status": "READY" "endpoints.0.ipAddress": "93.184.216.34" "endpoints.0.grade": "A" # Grade-only output ./ssllabs-scan-v4 \ --email johndoe@example.com \ --grade \ www.example.com # Output: HostName:"www.example.com" "93.184.216.34":"A" ``` -------------------------------- ### Configure HTTP Proxy and TLS Verification Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Provides bash examples for configuring environment variables to use an HTTP proxy (`HTTP_PROXY`, `HTTPS_PROXY`) for the ssllabs-scan tool. It also shows how to use the `--insecure` flag to skip TLS verification, primarily for development environments. ```bash # Use with HTTP proxy export HTTP_PROXY="http://proxy.example.com:8080" export HTTPS_PROXY="http://proxy.example.com:8080" ./ssllabs-scan-v4 \ --email johndoe@example.com \ www.example.com # Skip TLS verification (development only) ./ssllabs-scan-v4 \ --email johndoe@example.com \ --insecure \ internal.example.com ``` -------------------------------- ### Go: Manage Concurrent SSL Labs Assessments Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Manages concurrent SSL Labs assessments using channels for event handling and respecting API rate limits. It coordinates starting, completing, and failing assessments, retrying failed hosts and collecting results. ```go // Manager coordinates concurrent assessments respecting API limits type Manager struct { hostProvider *HostProvider FrontendEventChannel chan Event BackendEventChannel chan Event results *LabsResults } type Event struct { host string eventType int report *LabsReport } const ( ASSESSMENT_FAILED = -1 ASSESSMENT_STARTING = 0 ASSESSMENT_COMPLETE = 1 ) func NewManager(hostProvider *HostProvider) *Manager { manager := Manager{ hostProvider: hostProvider, FrontendEventChannel: make(chan Event), BackendEventChannel: make(chan Event), results: &LabsResults{reports: make([]LabsReport, 0)}, } go manager.run() return &manager } func (manager *Manager) run() { labsInfo, err := invokeInfo() if err != nil { close(manager.FrontendEventChannel) } maxAssessments = labsInfo.MaxAssessments for { select { case e := <-manager.BackendEventChannel: if e.eventType == ASSESSMENT_FAILED { activeAssessments-- manager.hostProvider.retry(e.host) } if e.eventType == ASSESSMENT_COMPLETE { activeAssessments-- manager.results.reports = append(manager.results.reports, *e.report) } if (activeAssessments == 0) && (moreAssessments == false) { close(manager.FrontendEventChannel) return } default: if moreAssessments && currentAssessments < maxAssessments { host, hasNext := manager.hostProvider.next() if hasNext { manager.startAssessment(host) } else { moreAssessments = false } } } } } ``` -------------------------------- ### Bash: Fetch SSL Labs Endpoint Data via cURL Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Fetches detailed endpoint security information using cURL, targeting the SSL Labs API. This example demonstrates how to query for a specific host and IP address, including necessary email headers. ```bash # Get detailed endpoint information curl --location 'https://api.ssllabs.com/api/v4/getEndpointData?host=www.example.com&s=93.184.216.34' \ --header 'email: johndoe@example.com' # Response includes comprehensive details: # { # "ipAddress": "93.184.216.34", # "grade": "A", # "details": { # "protocols": [ # {"id": 771, "name": "TLS", "version": "1.2"}, # {"id": 772, "name": "TLS", "version": "1.3"} # ], # "suites": [ # { # "protocol": 772, # "list": [ # {"id": 4865, "name": "TLS_AES_128_GCM_SHA256", "cipherStrength": 128} # ] # } # ], # "heartbleed": false, # "poodle": false, # "freak": false, # "forwardSecrecy": 4, # "ocspStapling": true # } # } ``` -------------------------------- ### Example JSON Error Response - SSL Labs API Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Demonstrates the structure of an error response from the SSL Labs API. It includes an 'errors' array, where each object contains a 'field' referencing the problematic API parameter and a 'message' explaining the issue. Errors without a 'field' apply to the entire request. ```json { "errors": [ { "field": "host", "message": "qp.mandatory" } ] } ``` -------------------------------- ### Register SSL Labs API Account (Go) Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt This Go program registers a new user account with the SSL Labs API v4. It sends a POST request with user details (first name, last name, email, organization) to the registration endpoint and prints the API response. Dependencies include standard Go libraries for HTTP requests, JSON processing, and command-line flag parsing. ```go package main import ( "bytes" "encoding/json" "flag" "fmt" "io" "net/http" ) type RegisterRequest struct { FirstName string `json:"firstName"` LastName string `json:"lastName"` Email string `json:"email"` Organization string `json:"organization"` } func main() { firstName := flag.String("firstName", "", "First name") lastName := flag.String("lastName", "", "Last name") email := flag.String("email", "", "Email") organization := flag.String("organization", "", "Organization") registerApiUrl := flag.String("registerApiUrl", "https://api.ssllabs.com/api/v4/register", "API endpoint URL") flag.Parse() requestData := RegisterRequest{ FirstName: *firstName, LastName: *lastName, Email: *email, Organization: *organization, } jsonData, err := json.Marshal(requestData) if err != nil { fmt.Println("Error encoding JSON:", err) return } resp, err := http.Post(*registerApiUrl, "application/json", bytes.NewBuffer(jsonData)) if err != nil { fmt.Println("Error making HTTP request:", err) return } defer resp.Body.Close() body, _ := io.ReadAll(resp.Body) var responseMap map[string]interface{}) json.Unmarshal(body, &responseMap) fmt.Printf("API Response: Status - %s, Message - %s\n", responseMap["status"], responseMap["message"]) } ``` -------------------------------- ### Analyze Host Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v2-deprecated.md Initiates or retrieves assessment results for a given host. Can start a new assessment or fetch cached results. ```APIDOC ## POST /analyze ### Description Initiates a new SSL Labs assessment for a given host or retrieves cached results. Use `startNew=on` to force a new assessment. ### Method POST ### Endpoint `/analyze` ### Parameters #### Query Parameters - **host** (string) - Required - The hostname to analyze. - **startNew** (string) - Optional - Set to 'on' to start a new assessment. Defaults to 'off'. - **fromCache** (string) - Optional - Set to 'on' to retrieve results from cache. Defaults to 'off'. - **maxAge** (integer) - Optional - Maximum age of cached results in hours. If not set, IP address is not forwarded. - **all** (string) - Optional - Set to 'done' to indicate that all necessary parameters are provided for a full analysis. ### Request Example ```json { "example": "POST /analyze?host=example.com&startNew=on&all=done" } ``` ### Response #### Success Response (200) - **Assessment results** - Contains partial or complete assessment data. The structure varies depending on whether a new assessment was started or cached data was returned. Use Host.status to check for completion. #### Response Example ```json { "example": "{ \"host\": \"example.com\", \"status\": \"READY\", ... }" } ``` ``` -------------------------------- ### GET /api/v3/getRootCertsRaw Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Retrieve the latest root certificates from various trust stores. This endpoint provides raw certificate data. ```APIDOC ## GET /api/v3/getRootCertsRaw ### Description Retrieves the latest root certificates (Mozilla, Apple MacOS, Android, Java and Windows) used for trust validation. ### Method GET ### Endpoint `https://api.ssllabs.com/api/v3/getRootCertsRaw` ### Parameters #### Query Parameters - **trustStore** (String) - Mandatory - Provide the trust store value. Options: 1-Mozilla, 2-Apple MacOS, 3-Android, 4-Java, 5-Windows. Default: 1-Mozilla. ### Request Example ``` https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=1 https://api.ssllabs.com/api/v3/getRootCertsRaw https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=2 https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=3 https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=4 https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=5 ``` ### Response #### Success Response (200) - **Raw certificate data** (String) - The raw data of the root certificates. ``` -------------------------------- ### GET /api/v3/getStatusCodes Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Retrieve known status codes used by the SSL Labs API. This endpoint returns a StatusCodes instance. ```APIDOC ## GET /api/v3/getStatusCodes ### Description Retrieves known status codes used by the SSL Labs API. This endpoint returns a single StatusCodes instance. ### Method GET ### Endpoint `https://api.ssllabs.com/api/v3/getStatusCodes` ### Parameters #### Query Parameters * None. ### Response #### Success Response (200) - **StatusCodes instance** (Object) - An object containing status codes. ``` -------------------------------- ### GET /api/v4/analyze Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Retrieve detailed endpoint information for SSL/TLS assessment. This API retrieves assessment results for a given host and IP address. ```APIDOC ## GET /api/v4/analyze ### Description Retrieves detailed endpoint information for SSL/TLS assessment. This API will return a single Endpoint object on success, containing complete assessment information. It does not initiate new assessments if a cached report is not found. ### Method GET ### Endpoint `https:///api/v4/analyze` ### Parameters #### Query Parameters - **host** (String) - Mandatory - Provide hostname. - **s** (String) - Mandatory - Provide endpoint IP address. - **fromCache** (String) - Optional - Delivers cached assessment reports if available. Default: off. - **all** (String) - Optional - Set to 'done' to ensure all results are returned. - **maxAge** (Number) - Optional - Controls the maximum age of the cached report. #### Headers - **email** (String) - Mandatory - Provide the email address registered through the registration API. ### Request Example ```bash curl --location 'https:///api/v4/analyze?host=www.ssllabs.com&s=173.203.82.166' \ --header 'email: jdoe@someoraganizationemail.com' ``` ### Response #### Success Response (200) - **Endpoint object** (Object) - Contains complete assessment information. ``` -------------------------------- ### Configure HTTP Client with Go Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Illustrates how to configure a custom `http.Transport` in Go, setting TLS configurations (like skipping verification) and enabling proxy support via environment variables. This custom client is then used for making API requests. ```go import ( "crypto/tls" "net/http" ) // HTTP client setup with custom transport var globalInsecure = false var httpClient *http.Client func (manager *Manager) run() { transport := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: globalInsecure}, DisableKeepAlives: false, Proxy: http.ProxyFromEnvironment, } httpClient = &http.Client{Transport: transport} // API calls use custom headers req, err := http.NewRequest("GET", url, nil) req.Header.Add("User-Agent", USER_AGENT) req.Header.Add("email", globalEmailAddress) resp, err := httpClient.Do(req) } ``` -------------------------------- ### GET /api/v4/getEndpointData Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Fetch comprehensive endpoint security information including vulnerabilities and protocol support. This endpoint retrieves detailed security data for a given host and IP address. ```APIDOC ## GET /api/v4/getEndpointData ### Description Fetches detailed security information for a specific endpoint, including supported protocols, cipher suites, vulnerabilities, and TLS/SSL configuration. ### Method GET ### Endpoint `/api/v4/getEndpointData` ### Parameters #### Query Parameters - **host** (string) - Required - The hostname to scan. - **s** (string) - Optional - The specific IP address of the host to scan. If not provided, the API will resolve the IP address. #### Request Body N/A ### Request Example ```bash curl --location 'https://api.ssllabs.com/api/v4/getEndpointData?host=www.example.com&s=93.184.216.34' \ --header 'email: johndoe@example.com' ``` ### Response #### Success Response (200) - **ipAddress** (string) - The IP address of the scanned endpoint. - **grade** (string) - The security grade assigned to the endpoint. - **details** (object) - An object containing detailed security information: - **protocols** (array) - List of supported protocols. - **suites** (array) - List of supported cipher suites. - **heartbleed** (boolean) - Indicates if the endpoint is vulnerable to Heartbleed. - **poodle** (boolean) - Indicates if the endpoint is vulnerable to POODLE. - **freak** (boolean) - Indicates if the endpoint is vulnerable to FREAK. - **forwardSecrecy** (integer) - Indicates the level of Forward Secrecy support. - **ocspStapling** (boolean) - Indicates if OCSP Stapling is supported. #### Response Example ```json { "ipAddress": "93.184.216.34", "grade": "A", "details": { "protocols": [ {"id": 771, "name": "TLS", "version": "1.2"}, {"id": 772, "name": "TLS", "version": "1.3"} ], "suites": [ { "protocol": 772, "list": [ {"id": 4865, "name": "TLS_AES_128_GCM_SHA256", "cipherStrength": 128} ] } ], "heartbleed": false, "poodle": false, "freak": false, "forwardSecrecy": 4, "ocspStapling": true } } ``` ``` -------------------------------- ### Register with SSL Labs API Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt This endpoint allows you to register for API access with the Qualys SSL Labs API v4. You need to provide your first name, last name, email, and organization. ```APIDOC ## POST /api/v4/register ### Description Registers a new user account with SSL Labs API v4 to obtain API access credentials. ### Method POST ### Endpoint https://api.ssllabs.com/api/v4/register ### Parameters #### Request Body - **firstName** (string) - Required - The first name of the user. - **lastName** (string) - Required - The last name of the user. - **email** (string) - Required - The email address of the user. - **organization** (string) - Optional - The organization the user belongs to. ### Request Example ```json { "firstName": "John", "lastName": "Doe", "email": "johndoe@example.com", "organization": "Example Corp" } ``` ### Response #### Success Response (200) - **status** (string) - The status of the registration (e.g., "success"). - **message** (string) - A message indicating the outcome of the registration (e.g., "Registration successful"). #### Response Example ```json { "status": "success", "message": "Registration successful" } ``` ``` -------------------------------- ### Process Bulk Host Scans (Go) Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt This Go code defines structures and functions for processing multiple hostnames from a file for SSL/TLS assessment. It includes a `HostProvider` struct to manage a list of hostnames and a `readLines` function to parse hostnames from a text file, filtering out comments and empty lines. ```go package main import ( "bufio" "os" "strings" ) // HostProvider manages a list of hostnames to be processed. type HostProvider struct { hostnames []string StartingLen int } // NewHostProvider creates a new HostProvider with a copy of the provided hostnames. func NewHostProvider(hs []string) *HostProvider { hostnames := make([]string, len(hs)) copy(hostnames, hs) hostProvider := HostProvider{hostnames, len(hs)} return &hostProvider } // next retrieves the next hostname from the list. Returns the hostname and true if successful, otherwise an empty string and false. func (hp *HostProvider) next() (string, bool) { if len(hp.hostnames) == 0 { return "", false } var e string e, hp.hostnames = hp.hostnames[0], hp.hostnames[1:] return e, true } // readLines reads lines from a specified file path. It trims whitespace, ignores lines starting with '#' and empty lines. func readLines(path *string) ([]string, error) { file, err := os.Open(*path) if err != nil { return nil, err } defer file.Close() var lines []string scanner := bufio.NewScanner(file) for scanner.Scan() { var line = strings.TrimSpace(scanner.Text()) if (!strings.HasPrefix(line, "#")) && (line != "") { lines = append(lines, line) } } return lines, scanner.Err() } ``` -------------------------------- ### Check SSL Labs API Availability Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Checks the availability of SSL Labs servers, retrieves engine and criteria versions, and the maximum number of concurrent assessments. This is a simple GET request with no parameters. ```curl curl 'https://api.ssllabs.com/api/v4/info' ``` -------------------------------- ### SimDetails Object Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md Contains details about simulation results for different client configurations. ```APIDOC ## SimDetails Object ### Description Contains details about simulation results for different client configurations. ### Fields * **results[]** (array of objects) - Instances of [Simulation](#simulation) objects. ### Related Objects * [Simulation](#simulation) ``` -------------------------------- ### Simulation Object Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md Details a single simulation attempt, including client configuration, handshake results, and negotiated parameters. ```APIDOC ## Simulation Object ### Description Details a single simulation attempt, including client configuration, handshake results, and negotiated parameters. ### Fields * **client** (object) - Instance of [SimClient](#simclient) (client configuration). * **errorCode** (integer) - Zero if handshake was successful, 1 if it was not. * **errorMessage** (string) - Error message if simulation has failed. * **attempts** (integer) - Always 1 with the current implementation. * **certChainId** (string) - ID of the certificate chain used. * **protocolId** (integer) - Negotiated protocol ID. * **suiteId** (integer) - Negotiated suite ID. * **suiteName** (string) - Negotiated suite name. * **kxType** (string) - Negotiated key exchange type (e.g., "ECDH"). * **kxStrength** (integer) - Negotiated key exchange strength, in RSA-equivalent bits. * **dhBits** (integer) - Strength of DH parameters (e.g., 1024). * **dhP** (string) - DH parameters, p component. * **dhG** (string) - DH parameters, g component. * **dhYs** (string) - DH parameters, Ys component. * **namedGroupBits** (integer) - When ECDHE is negotiated, length of EC parameters. * **namedGroupId** (integer) - When ECDHE is negotiated, EC curve ID. * **namedGroupName** (string) - When ECDHE is negotiated, EC curve name (e.g., "secp256r1"). * **keyAlg** (string) - Connection certificate key algorithm (e.g., "RSA"). * **keySize** (integer) - Connection certificate key size (e.g., 2048). * **sigAlg** (string) - Connection certificate signature algorithm (e.g, "SHA256withRSA"). ### Related Objects * [SimClient](#simclient) ``` -------------------------------- ### Bash CLI Usage with Debugging for Rate Limiting Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt This bash command demonstrates how to run the ssllabs-scan tool with debug verbosity to monitor rate limiting information. It showcases the command-line arguments for email, hostfile, and verbosity level. ```bash # The tool automatically handles rate limiting # Monitor with debug verbosity ./ssllabs-scan-v4 \ --email johndoe@example.com \ --hostfile large-list.txt \ --verbosity debug # Output shows rate limiting: # [DEBUG] Server set current assessments to 25 # [DEBUG] Server set maximum assessments to 25 # [NOTICE] Sleeping for 18 minutes after a 529 response # [DEBUG] Active assessments: 24 (more: true) ``` -------------------------------- ### Retrieve SSL Labs API Information (Go) Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt This Go function `invokeInfo` retrieves information about the SSL Labs API, including engine version, criteria version, assessment limits, and any messages. It makes an API call and unmarshals the JSON response into a `LabsInfo` struct. The function relies on an `invokeApi` helper function (not provided) for the actual API communication. ```go // Retrieve SSL Labs API information and limits type LabsInfo struct { EngineVersion string CriteriaVersion string MaxAssessments int CurrentAssessments int NewAssessmentCoolOff int64 Messages []string } func invokeInfo() (*LabsInfo, error) { var command = "info" _, body, err := invokeApi(command) // Assumes invokeApi is defined elsewhere if err != nil { return nil, err } var labsInfo LabsInfo err = json.Unmarshal(body, &labsInfo) if err != nil { log.Printf("[ERROR] JSON unmarshal error: %v", err) // Assumes log is imported return nil, err } return &labsInfo, nil } ``` -------------------------------- ### Register for SSL Labs API v4 Scan Source: https://github.com/ssllabs/ssllabs-scan/blob/master/README.md This Go program registers an organization for using API v4 of the SSL Labs service. It requires user details such as first name, last name, organization, and email. The API entry point for registration can also be specified. ```go ssllabs-scan-v4-register --firstName John --lastName Doe --organization Example --email johndoe@example.com ``` -------------------------------- ### Retrieve Root Certificates using HTTP GET Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md This snippet shows how to retrieve root certificates from various trust stores using the SSLLabs API. The 'trustStore' parameter specifies which trust store to retrieve (Mozilla, Apple MacOS, Android, Java, Windows). If 'trustStore' is omitted, it defaults to Mozilla. ```HTTP https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=1 ``` ```HTTP https://api.ssllabs.com/api/v3/getRootCertsRaw ``` ```HTTP https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=2 ``` ```HTTP https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=3 ``` ```HTTP https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=4 ``` ```HTTP https://api.ssllabs.com/api/v3/getRootCertsRaw?trustStore=5 ``` -------------------------------- ### Protocol Evolution Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md Details on API versioning and how changes are managed to ensure backward compatibility. ```APIDOC ## Protocol Evolution ### Description Details on API versioning and how changes are managed to ensure backward compatibility. ### Versioning * The API is versioned. Incompatible changes will result in new API versions. * Existing applications can continue using previous versions as long as they are supported. * New fields can be added to response objects without incrementing the protocol version number. ``` -------------------------------- ### Extract Certificate Details with jq Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Shows how to use the `jq` command-line tool to extract certificate chain information from the full assessment output of ssllabs-scan. This allows for focused analysis of certificate data. ```bash # Full assessment includes certificate analysis ./ssllabs-scan-v4 \ --email johndoe@example.com \ www.example.com | jq '.[] | .certs' # Response: [ { "id": "abc123...", "subject": "CN=www.example.com", "commonNames": ["www.example.com"], "altNames": ["www.example.com", "example.com"], "notBefore": 1640995200000, "notAfter": 1704067200000, "issuerSubject": "CN=DigiCert TLS RSA SHA256 2020 CA1", "sigAlg": "SHA256withRSA", "revocationStatus": 2, "keyAlg": "RSA", "keySize": 2048, "keyStrength": 2048, "issues": 0 } ] ``` -------------------------------- ### Go: Define SSL Labs Endpoint Detail Structures Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Defines Go structs to represent detailed endpoint security information obtained from the SSL Labs API. These structures include details on protocols, cipher suites, vulnerabilities, and certificate chains. ```go // Retrieve detailed endpoint information type LabsEndpointDetails struct { Protocols []LabsProtocol Suites []LabsSuites ServerSignature string VulnBeast bool Heartbleed bool Poodle bool Freak bool Logjam bool DrownVulnerable bool RenegSupport int SessionResumption int CompressionMethods int SupportsNpn bool SupportsAlpn bool OcspStapling bool HstsPolicy LabsHstsPolicy ForwardSecrecy int CertChains []LabsCertChain } type LabsProtocol struct { Id int Name string Version string Q int } type LabsSuite struct { Id int Name string CipherStrength int KxType string KxStrength int } ``` -------------------------------- ### Protocol Evolution Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Details on API versioning, how new versions are introduced, and the handling of new fields. ```APIDOC ## Protocol Evolution The API is versioned. New versions of the API will be introduced whenever incompatible changes need to be made to the protocol. When a new version becomes available, existing applications can continue to use the previous version for as long as it is supported. To reduce version number inflation, new fields may be added to the results without a change in protocol version number. ``` -------------------------------- ### Perform SSL Labs API v4 Scan Source: https://github.com/ssllabs/ssllabs-scan/blob/master/README.md This Go program performs a scan using API v4 of the SSL Labs service. It requires the user's registered email and either a single hostname or a hostfile containing a list of hosts to scan. Various options are available to control the scan, such as API endpoint, verbosity, caching, and output format. ```go ssllabs-scan-v4 [options] --email johndoe@example.com hostname ssllabs-scan-v4 [options] --email johndoe@example.com --hostfile file ``` -------------------------------- ### Protocol Suites Information Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md Information about the cipher suites supported for each protocol, including server preferences. ```APIDOC ## Protocol Suites Information ### Description Details the cipher suites available for a given protocol and whether the server exhibits preference in suite selection, including ChaCha20 preference. ### Parameters #### Request Body - **protocol** (object) - Required - The protocol object detailing the version and name. - **list[]** (array of objects) - Required - A list of cipher suite objects. - **preference** (boolean) - Optional - `true` if the server actively selects cipher suites; null if determination was not possible. - **chaCha20Preference** (boolean) - Optional - `true` if the server considers client preferences for ChaCha20 suites; null if determination was not possible. ### Suite Object *Refer to the specific definition of a "Suite object" if available in the API specification.* ### Request Example ```json { "protocol": { "id": 771, "name": "TLS", "version": "1.2" }, "list": [ { "suite_details": "..." }, { "suite_details": "..." } ], "preference": true, "chaCha20Preference": null } ``` ### Response Example ```json { "protocol": { "id": 771, "name": "TLS", "version": "1.2" }, "list": [ { "suite_details": "..." }, { "suite_details": "..." } ], "preference": true, "chaCha20Preference": null } ``` ``` -------------------------------- ### Check SSL Labs availability Source: https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md This call checks the availability of SSL Labs servers, retrieves engine and criteria versions, and initializes the maximum number of concurrent assessments. It returns an Info object on success. ```APIDOC ## GET /info ### Description Checks the availability of the SSL Labs servers, retrieves the engine and criteria version, and initializes the maximum number of concurrent assessments. ### Method GET ### Endpoint https://api.ssllabs.com/api/v3/info ### Parameters #### Query Parameters - None ### Request Example ``` GET https://api.ssllabs.com/api/v3/info ``` ### Response #### Success Response (200) - **engine_version** (string) - The version of the SSL Labs assessment engine. - **criteria_version** (string) - The version of the SSL Labs assessment criteria. - **max_assessments** (integer) - The maximum number of concurrent assessments allowed. #### Response Example ```json { "engine_version": "1.35.12", "criteria_version": "1.2.10", "max_assessments": 4 } ``` ``` -------------------------------- ### Analyze Single Host SSL/TLS Assessment (Go) Source: https://context7.com/ssllabs/ssllabs-scan/llms.txt Initiates an SSL/TLS security assessment for a single hostname. This Go code defines data structures for the report and an invokeAnalyze function to call the SSLLabs API, optionally using cached results or forcing a new scan. It handles API command construction and JSON unmarshalling of the response. ```go package main import ( "bufio" "encoding/json" "log" "os" "strconv" "strings" ) // Global configuration variables (example, actual implementation might differ) var globalMaxAge int = 0 var globalIgnoreMismatch bool = false // LabsReport represents the structure of the SSLLabs analysis report type LabsReport struct { Host string Port int Protocol string IsPublic bool Status string StatusMessage string StartTime int64 TestTime int64 EngineVersion string CriteriaVersion string Endpoints []LabsEndpoint Certs []LabsCert } // LabsEndpoint represents details for a specific endpoint in the analysis type LabsEndpoint struct { IpAddress string Grade string GradeTrustIgnored string FutureGrade string HasWarnings bool StatusMessage string Details LabsEndpointDetails } // LabsEndpointDetails contains further detailed information about an endpoint type LabsEndpointDetails struct { // Placeholder for actual fields } // LabsCert represents certificate information type LabsCert struct { // Placeholder for actual fields } // invokeApi is a placeholder for the actual API interaction function // It should return an http.Response, the response body as []byte, and an error. func invokeApi(command string) (interface{}, []byte, error) { // Dummy implementation for compilation log.Printf("Simulating API call for command: %s\n", command) return nil, []byte(`{ "host": "example.com", "port": 443, "protocol": "https", "isPublic": true, "status": "READY", "statusMessage": "Completed successfully", "startTime": 1678886400, "testTime": 1678886460, "engineVersion": "1.0.0", "criteriaVersion": "1.0", "endpoints": [ { "ipAddress": "1.2.3.4", "grade": "A", "gradeTrustIgnored": "A", "futureGrade": "A", "hasWarnings": false, "statusMessage": "Done", "details": {} } ], "certs": [] }`), nil } // invokeAnalyze analyzes a single host and retrieves the SSL/TLS assessment report. // startNew: if true, forces a new scan even if cached results are available. // fromCache: if true, attempts to use cached results. func invokeAnalyze(host string, startNew bool, fromCache bool) (*LabsReport, error) { var command = "analyze?host=" + host + "&all=done" if fromCache { command = command + "&fromCache=on" if globalMaxAge != 0 { command = command + "&maxAge=" + strconv.Itoa(globalMaxAge) } } else if startNew { command = command + "&startNew=on" } if globalIgnoreMismatch { command = command + "&ignoreMismatch=on" } resp, body, err := invokeApi(command) if err != nil { return nil, err } var analyzeResponse LabsReport err = json.Unmarshal(body, &analyzeResponse) if err != nil { log.Printf("[ERROR] JSON unmarshal error: %v\n", err) return nil, err } return &analyzeResponse, nil } // readLines reads lines from a file, intended for host lists. // This function is included here for context but is not directly used by invokeAnalyze. func readLines(path *string) ([]string, error) { file, err := os.Open(*path) if err != nil { return nil, err } defer file.Close() var lines []string scanner := bufio.NewScanner(file) for scanner.Scan() { var line = strings.TrimSpace(scanner.Text()) if (!strings.HasPrefix(line, "#")) && (line != "") { lines = append(lines, line) } } return lines, scanner.Err() } ```